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Data Mishaps Drive | 
Push for New Rules 


Lawmakers call for federal mandates on IT 


security and privacy in wake of recent breaches 


BY JAIKUMAR VIJAYAN 
Federal lawmakers, reacting 
sharply to recent data security 
breaches at several large com- 
panies, are proposing a mix of 
legislation that could impose 
new compliance burdens on 
IT managers — including the 
need to certify that sensitive 
personal data is protected. 

As a result, companies need 
to review their information se- 
curity strategies and ensure 
that they have adequate tech- 
nology and procedural mea- 
sures in place for safeguarding 
confidential data, responding 
to incidents and monitoring 
compliance with corporate 
policies, according to users, 
analysts and lawyers. 

“Any company out there, 
whether they’re currently reg- 
ulated or not, needs to be re- 
evaluating their security and 
making sure they know what’s 
going on,” said Kirk 
Nahra, a board mem- 
ber of the Inte ion- 
al Association of Priv- 
acy Professionals, a 
York, Maine-based as- 
sociation of IT securi- 
ty and privacy workers 
that has members from 
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more than 1,000 companies. 

“This is an issue that’s hot 
and heavy in Congress right 
now,” added a security analyst 
at a large financial services 
firm who asked that he not be 
identified. “Who knows what 
that will lead to?” 

Those kinds of concerns 
are being fueled by legislative 
proposals such as one detailed 
on March 10 by Sen. Jon Cor- 
zine (D-NJ.), who said he 
plans to file a bill that would 
lead to the creation of federal 

data-protection stan- 
dards and require 
CEOs or chief com- 
pliance officers to 
personally attest that 
their companies com- 
ply with the rules. 
Corzine’s draft leg- 
Data Thefts, page 57 
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Users Turn to Operational 
Business Intelligence Tools 


Emerging capability 
promises real-time 
access to most data 

BY HEATHER HAVENSTEIN 

To keep up with competitors, 
enterprises increasingly are 
demanding operational bus- 
iness intelligence — analytics 
embedded into processes 

to handle exceptions and 


make real-time decisions. 
Several corporate users said 

last week that they are imple- 
menting such techniques as 
tools emerge from key 
vendors such as SAS 
Institute Inc., Informa- 
tion Builders Inc. and 
Cognos Inc. 

| Just last month, 

| Briggs & Stratton 

Corp., a Wauwatosa, 
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A lack of interoperability is hampering the use of wireless 
devices by police, fire and other emergency workers. 
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Wis.-based manufacturer of 
lawn mower and garden tiller 
engines, began rolling out 
portal technology from the 
SAS 9 BI tool set and pairing 
it with SAS analytical applica- 
tions. The company is looking 
for the joint system to provide 
its employees with BI infor- 
mation embedded in 
peg, production 


\ 


“Tt is such a hot but- 
ton for us right now,” 
said Grant Felsing, 
decision-support man- 

BI Tools, page 16 
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Video E-mail Goes Corporate 
In the Technology section: As the 
technology improves, video e-mail is 


CONTENTS 


How to Sponsor a Project 

In the Management section: CIO 
Michael H. Hugos provides a crash 
course for your business sponsor 
on all the right questions to ask 
about IT projects. Page 29 


finding its way into large companies 
as a tool for CRM, corporate communi 
cations and training. Page 23 
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NEWS 


IBM’s purchase of Ascential 
Software has users hoping for 
a strong investment in its inte- 
gration technology. 


Novell’s CTO discloses that he 
plans to leave the company, 
but most users are unfazed. 


H-1B fraud investiyations are 
expected to pick up as a por- 
tion of application fees are ear- 
marked to fund such efforts. 


Recent data thefts prompt IT 
organizations to consider al- 
ternative protective measures. 


Wireless technology has 
made strides in aiding emer- 
gency responders, but a lack 
of interoperability remains a 
huge shortcoming. 


Business process manage- 
ment gains popularity among 
financial services firms look- 
ing to boost sagging profits 


The U.K. is 
expected to shelve legislation 
for a national identity card 
program. 
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OPINIONS 


On the Mark: Mark Hall re- 
ports that vendors are hoping 
SIP will give IT managers 
more confidence about the 
security of VoIP products. 


20 Don Tennant attends cere- 
monies for award-winning 
IT projects and award- 
winning IT journalism and 
reflects on the challenges 
both industries face. 


20 Virginia Robbins knows that 
IT workers are professional, 
but she also knows they’re 
often perceived otherwise. 


Michael Gartenberg breaks it 
down for IT decision-makers 
buying mobile devices. 


26 Robert L. Mitchell says enter- 
prises need to see the broader 
context of desktop search 
tools before integrating them 
into the IT infrastructure. 


32 Barbara Gomolski wonders 
how much of a CIO’s destiny 
is shaped by his performance 
and how much is predeter- 
mined when he takes the job. 


58 Frankly Speaking: Frank 
Hayes acknowledges that data 
can easily leak out of an 
e-health system, but only if 
safeguards are full of holes. 


At Deadline Briefs 
News Briefs 
Letters 

IT Careers 


: Company Index 


How to Contact CW 


: Shark Tank 


ANDREW SKWISH 


KNOWLEDGE CENTER 
SECURITY 


Proactive Security 
EDITOR'S NOTE: Learn how to 
build an IT security organi- 
zation that can identify 
problems before they hap- 


pen and block 
pat attacks before 


they do damage. 
PACKAGE BEGINS ON PAGE 35. 


36 A Good 
Offense. Tired 
of being under 
attack, IT execu- 
tives like Eric 
Litt, chief infor- 
mation security 

officer at GM, are taking preven- 

tive steps to head off secu- 

rity breaches. 


40 Baked-In Security. 
Standardized efforts 
to address security in- 
side the perimeter can 
cut enterprise configu- 
ration management and 
incident-response costs. 
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Intrusion-preven- 

tion systems don't 

just tell you there 

may be an attack — ; 
they block it before) 
it happens. But . 
false positives 

remain a big prob- 

lem. Plus, five tips 

for selecting an IPS. 


46 Supersmart Security. 


Fresh from the lab, these 
intelligent security 
systems are de- 
signed to recog- 
nize new threats 
and limit damage. 


50 Opinion: Most 
companies are over- 
looking their biggest security hole 
— their own people, says colum- 
nist Mark Hall. 
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15 Tips for Respon- 
sible Computing. 
The Cutter Consor- 
tium Business Tech- 
nology Council offers 
strategies for reduc- 
© QuickLink 52856 
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Microsoft to Set 
VS 2005 Pricing 


Microsoft Corp. this week will de- 
tail pricing for its Visual Studio 
application development tool, due 
to ship in the second half of the 
year. Licenses range from $49 for 
the Express Edition to $799 for 
the Professional Edition. Profes- 


sional Edition costs $2,499 with a | 


premium MSDN license, and vol- 
ume licenses for the Team System 
start at $3,191. 


Oracle, SAP Keep 
Battling for Retek 


Oracle Corp. increased its bid for 
Retek Inc. to $630 million late 
last week, again outbidding rival 
SAP AG in the tug of war for the 
retail software maker. SAP had 
upped its bid to $616 million in 
response to Oracle’s surprise bid 
for Retek a week earlier. Retek’s 


board had accepted SAP’s second 


bid prior to Oracle’s latest offer. 


Oracle CFO Moves 
To BearingPoint 


Oracle Corp.’s chief financial offi- 
cer, Harry You, has disclosed plans 
to leave the vendor after eight 
months on the job. You will become 
CEO of services company Bearing- 
Point Inc., replacing interim CEO 
Rod McGeary. You had replaced 
Jeff Henley in July when Henley 
became chairman of Oracle’s 
board. Co-president Safra Catz 
will become acting Oracle CFO. 


CA World Is Bac 
On the Calendar 


After considering canceling this 
year’s CA World user conference 
amid management changes last 
year, Computer Associates Inter- 
national Inc. has put the show 
back on its calendar, for Nov. 13- 
17 in Las Vegas. The last show 
was held in May 2004, three 
weeks after interim CEO Ken 
Cron replaced the scandal-tainted 
Sanjay Kumar. The bid to cancel 
the show was halted late last year 
by new CEO John Swainson. 


| 


| 
| 





IBM Pays $1.1B to Acquire 


Data Integration App 


BY MARC L. SONGINI 


BM’S $1.1 billion purchase 
of Ascential Software 
Corp. has users hoping 
that IBM will continue 
investing in Ascential’s data 
integration and management 


| technology. 


Ironically, Ascential was 
created in the aftermath of 


| IBM’s 2001 acquisition of the 
| Informix database from the 
| former Informix Corp. IBM 


also bought the Informix 
name, so the remainder of the 
firm — consisting mostly of 
the data integration technol- 
ogy — was renamed Ascential. 
IBM said it hopes to use 
the Ascential technology to 
extend its existing WebSphere 
data integration offerings. The 
joint portfolio will make it easi- 
er for customers to integrate, 
format and manage informa- 
tion for business intelligence, 


| performance management and 


other operations, the company 
claimed. 

Westboro, Mass.-based 
Ascential will be folded into 
the IBM information manage- 





| With Ascential deal, it gets Informix 
| technology it passed over in 2001 


ment software group, headed 
by general manager Janet Per- 
na. IBM said management 
moves related to the acquisi- 
tion will be disclosed once it’s 


| completed. The deal is expect- 


ed to close by midyear. 


Wait-and-See Mode 

A couple of Ascential users 
said they aren’t yet sure how 
the acquisition will affect 
them. 

At the very least, IBM brings 
great size and breadth to the 
smaller company, whose prod- 
uct portfolio will also likely be 
enriched by IBM’s technology, 
said Danny Siegel, senior man- 
ager in the finance business 
technology group of Pfizer 
Global Pharmaceuticals. 

“This couldn’t be anything 
but a plus from a client per- 
spective,” he said. 

However, Siegel also noted 
that he wants IBM to clarify 
its plans for continuing devel- 
opment of the Ascential prod- 
uct line and to assure cus- 
tomers that the move is in- 
deed a “true strategic acquisi- 


IBM Expects BI Boost From Deal 


IBM'S ACQUISITION of Ascen- 
tial Software is part of the com- 
pany’'s new focus on positioning 
its DB2 database for data ware- 
housing as well as maintaining 
its traditional stronghold as a 
transactional database. 

IBM hopes to boost its busi- 
ness intelligence market share 
by utilizing Ascential’s extract 
transform and load (ETL) tools, 
which are often used today in Bl 
deployments because ETL is the 
preferred integration method for 
data warehousing projects. 

Ascential's integration suite 
will complement IBM's Web- 


Sphere Information Integrator 
products, according to IBM. As- 
cential technology can be used 
to populate and maintain data 
warehouses for strategic analy- 
sis while tapping IBM's Web- 
Sphere integration products to 
correlate real-time events to in- 
formation in the data warehouse, 
said Janet Perna, general man- 
ager of IBM's information man- 
agement software group. 

The Ascential acquisition is 
part of IBM's plan to snag a 
piece of the growing data ware- 
housing and BI market, with 
more enterprises demanding ac- 


| tion.” The Pfizer unit uses As- 
| cential’s DataStage 7.5 to en- 
able data integration. 

Another Ascential customer, 
Stephen Zander, vice president 
of enterprise business intelli- 
gence services at health care 
provider McKesson Corp. in 
| San Francisco, added, “I think 
| we need to see some product 
| direction announcements in 
| the next 90 days before I’ll be 
comfortable.” 

He noted there is overlap in 
| some products, but none that 
will likely affect Ascential’s 
| core customers. 

Although IBM left Ascential 
on the table in its 2001 acquisi- 
tion of Informix, the two com- 
panies formed a strong part- 
nership and today share some 
550 joint customers. 

In an e-mail, an IBM spokes- 
| woman explained that in 2001, 
IBM was focused primarily 
| on buying a database and its 
installed base. Since then, 
IBM has started a major ini- 
tiative around information 
integration. 

“They are a fit for us today 
because now Ascential Soft- 
ware has far more customers 
and offers richer capabilities 
for customers at a time when 





cess to performance data to 
make tactical decisions, said 
Philip Russom, an analyst at For- 
rester Research Inc. 

“Since data warehousing is 
growing faster than transactional 
databases . . . it makes sense for 
them to pursue that market,” he 
said. “The Ascential acquisition 
will give them a high-quality ETL 
tool for data warehousing.” 

IBM in the second quarter of 
this year plans to release a new 
Data Warehouse Edition that 
integrates its DB2 database, 
DB2 CubeViews metadata 
bridge, WebSphere data integra- 
tion tool and its data mining ap- 
plication. IBM has also released 


Vendor 


AT A GLANCE 
IBM/Ascential 


PRICE: $1.1 billion 


WHAT IT MEANS: IBM gets 
access to Ascential’s data inte- 
gration, cleansing, manage- 
ment and formatting tools. 


Sooo eeeroereseeeeseeseeese 


WHO’S IN CHARGE: Ascential 
will become a business unit in 
IBM's information management 
software group under general 
manager Janet Perna. 


POOR eeeseeerensenesesoosee 


WHEN THE DEAL CLOSES: In 
the second quarter of this year. 


we are focused on providing 
integration middleware,” she 
said. 

Why IBM didn’t buy out 
Ascential in 2001 isn’t clear, 
but apparently IBM’s manage- 
ment believed that integration 
could be achieved by just en- 
hancing the Web server or 
database management system, 
suggested Curt Monash, an 
analyst at Acton, Mass.-based 
consultancy Monash Informa- 
tion Services and a Computer- 
| world columnist. “Or maybe 
they just couldn’t agree on a 


price,” he said. @ 53212 





a BI package tailored for law en- 
forcement and is working on 
packages aimed at the banking 
and insurance sectors. 

Klaus Mikkelsen, global devel- 
opment leader at Ascential user 
Owens Corning in Toledo, Ohio, 
said the deal could have a positive 
long-term impact for his company, 
given IBM's larger research-and- 
development resources. 

“My biggest concern is 
around support, which tradition- 
ally has been outstanding for 
Ascential,” Mikkelsen said. “I 
would watch any changes in 
the support structure with some 
trepidation.” 

- Heather Havenstein 
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Novell CTO Sets Exit Plan on Eve of User Conference 


BY CAROL SLIWA 
Just days before this week’s 
kickoff of Novell Inc.’s annual 
BrainShare user conference, 
its chief technology officer 
disclosed plans to leave the 
company at the end of the 
month to become the general 
manager of a software busi- 
ness unit at another IT vendor. 
The planned departure of 
CTO Alan Nugent comes on 
the heels of former No. 2 exec- 
utive Chris Stone’s surprise 
exit last November [QuickLink 
50595]. But several Novell 
users said they were unfazed 
by the news that Nugent is fol- 
lowing Stone, whose title was 
vice chairman, out the door. 
“So the president and CTO 
have come and gone. This is 
just another one,” said Jay 
Hall, unit manager of server 
engineering at Blue Cross and 
Blue Shield of Alabama in 


Birmingham. “In our opinion, 
they still have the best tech- 
nology around, and as long as 
we believe that’s true, we're 
going to stay with them.” 
Hall said he supports Nov- 
ell’s Linux strategy as “the 
only chance they have to get 
back in the game.” His com- 
pany already is testing the 


| Open Enterprise Server soft- 


ware that Novell shipped ear 
lier this month. OES supports 
file, print, directory and other 


| computing services on both 


NetWare and SUSE Linux. 
“All of those upper manage- 


| ment positions seem to be a 


revolving door,” said Brad 


| Staupp, a senior support ana- 


lyst at NetWare user Johnson 
County Community College 


| in Overland Park, Kan. “But 


I’ve been a beta tester for six 


| years, and the majority of 


the people that write the code 


H-1B Fraud Investigations 
Are Expected to Increase 


Higher application 
fee earmarks 
money for probes 


BY PATRICK THIBODEAU 
Companies that hire H-1B visa 
holders may soon face a 
greater risk of being investi- 
gated for their treatment of 
those workers because of 
changes in the law that are 
due to take effect this month 
and additional funding for 
enforcement by the U.S. De- 
partment of Labor. 

For now, the number of in- 
vestigations into H-1B abuses 
is small. According to Labor 
Department figures, agency 
officials conducted 49 investi- 
gations into alleged H-1B 
abuses from the beginning of 
the government’s current fis- 
cal year last October through 
Jan. 31. In comparison, there 
were 142 and LI8 investigations 
during the entire 2003 and 
2004 fiscal years, respectively. 

When Congress approved 
the Visa Reform Act of 2004 





in November, it increased the 
H-1B application fee by $2,000 
and earmarked $500 of each 
payment for antifraud efforts. 
Immigration attorneys said 
last week that they expect the 
Labor Department to increase 
its scrutiny of the use of H-1Bs 
after the government begins 
collecting the new fee. 

“We are going to see more 
investigations, and not only 
because there is more money 
allocated for the purpose,” 
said Irina Plumlee, a lawyer at 
Gardere Wynne Sewell LLP in 
Dallas. She added that height- 
ened security measures and 


a leM ester leisy 


& All of those 
upper man- 
agement positions 
[at Novell] seem 
to be a revolving 
door. But . . . the 
majority of the 
people that write 


| the code and do the 


day-to-day work, 


| they’re still there. 


| 


Nugent, who said he joined 
Novell at Stone’s behest in 
June 2002, stressed that he 
was happy at the company and 
that his decision has nothing 
to do with Stone’s exit. He said 
the new job represents a “fab- 
ulous opportunity” to oversee 


| a business unit that is “larger 


than Novell.” Nugent said he 
was approached by the com- 
pany, which he declined to 
identify, and added that he 
will remain on Novell’s pay- 
roll until month’s end. 

Jon Strickland, president 


| of the Triangle Novell Users’ 


Group in Raleigh, N.C., said 


COMMUNITY COLLEGE 


and do the day-to-day work, 


they’re still there.” 
Novell hasn’t said whether 
it plans to fill Nugent’s or 


| Stone’s positions, noted com- 


pany spokesman Bruce Lowry. 


the political climate in Con- 
gress are also factors. 

Frida Glucoft, a partner at 
Mitchell Silberberg & Knupp 
LLP in Los Angeles, said the 
number of investigations over 


the past few years seems low, 
“but I think we are going to be 
| seeing more audits.” 


The message for IT man- 
agers who use H-1B workers is 
to ensure that all of the pro- 
gram’s rules are followed to 


the letter, the attorneys said. 


Investigations are typically 
triggered by complaints from 
H-1B holders. But the govern- 


| ment can also conduct ran- 


dom audits or launch investi- 


| gations based on information 





from third-party sources. A 
typical remedy involves pay- 
ment of back wages by em- 
ployers; for example, more 
than $2 million was paid to 
workers in fiscal 2003. 

In addition to the antifraud 
funding, the new law gives 
federal officials more grounds 
on which to investigate com- 
panies, such as checking com- 
pliance with a modified wage- 
rate system that also is due to 
take effect this month. That 
system will allow for greater 


variances in pay to visa holders. 





Stone’s departure sparked dis- 


| cussion at a member meeting. 


But he views Nugent's depar- 
ture as “par for the course” at 
Novell. “As long as they keep 
their general focus — being 


| dedicated to Linux and open- 


source as well as supporting 


The government initially 
capped the number of H-1B 
visas available for this fiscal 
year at 65,000, a limit that was 
reached on Oct. 1 — the first 
day of the fiscal year. An addi- 
tional 20,000 visas were sup- 
posed to become available on 
March 8 for foreign workers 
who hold master’s or Ph.D. de- 


| grees from U.S. universities, 


but that process has been de- 
layed pending publication of 


| the rules governing the visas 


in the Federal Register. 
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their NetWare base I don’t 
think any customers should 
show any concern,” said 
Strickland, who is a senior 
network engineer at Alpha 
numeric Systems Inc., a Novell 
business partner. 

Not everyone shares that 
view, though. A Computer Sci- 
ences Corp. employee who 
works on a contract basis at a 
large government agency and 
asked not to be identified said 
the management changes are 
“just another indicator that 
Novell is in trouble.” 

The agency last November 
started to replace NetWare 
with Microsoft Corp.’s Win- 
dows Server, partly because of 
concerns about Novell’s long- 
term direction, according to 
the contractor. “And the sad 
thing is, they have a great 
product,” he said. “I would 
much rather be on NetWare 
servers and a NetWare direc 
tory than [on] Microsoft.” 


@ 53251 


known. But he noted that the 
measure passed by Congress 


| did create an exemption for 


20,000 advanced-degree hold- 
ers. @ 53254 


Pee e er eres eeeseereseseseeeseees 


Robert Webber, an immigra- | 


tion attorney in Edina, Minn., 
said the handling of the new 
law by the U.S. Citizenship 


| and Immigration Services 


(USCIS) agency has been an 


| “absolute disaster.” The 
| agency “has refused to accept 


filings by employers for the 
new H-1B [visas] and, in the 
process, has created complete 


| confusion,” Webber said. 


The confusion stems, in 
part, from a recent USCIS 


statement saying that the visas | 


would be available to anyone, 
not just workers with ad- 
vanced degrees. A spokesman 
for the agency said that until 
the rules are published, the 
exact requirements won't be 


Corrections 

The story in last week's News 
section about the bidding war be- 
tween SAP AG and Oracle Corp. 
over Retek inc. misstated the 
purchase prices that were being 
offered by both SAP and Oracle. 
A corrected version of the story 
can be read on our Web site at 


A story in the March 7 News sec- 
tion (“Tape Mishap Prompts Calis 
for Disk Backups”) included an in- 
complete title for Time Warmer 
Cable executive Bo Coughlin. He 
is vice president of the Raleigh 
(N.C.) Division at Time Warner 
The images that accompanied a 
March 7 story about the planned 
Freedom Tower in New York 
(‘Project at World Trade Center 
Site Puts Advanced Design Tools 
to Test”) were provided by archi- 
tect Skidmore, Owings & Merrill 
LLP. But they were rendered by 
New York-based dbox Inc. 
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EC OKs Sale of 
ContentGuard 


The European Commission has 
given Microsoft Corp., Time 
Warner Inc. and Thomson SA the 
green light to close their joint ac- 
quisition of digital rights man- 
agement company ContentGuard 
Inc. in Bethesda, Md. The EC ex- 
pressed concern last year that 
approving an attempt by Micro- 
soft and Time Warner to buy 
ContentGuard would let the firms 
gain control of the DRM market. 
The EC approved the deal when 
Thomson was made a partner. 


WebMD Buys 
Health Care Tools 


WebMD Corp. in Elmwood Park, 
N.J., has acquired HealthShare 
Technology Inc., a maker of health 
care decision-support systems 
and a provider of Web-based tools 
for hospital quality comparison. It 
paid $31 million in cash and will 
pay an additional $5 million if fi- 
nancial milestones are achieved 
during this calendar year. 


Beta Begins for 
Flagship SCO Unix 


The SCO Group Inc. said its 
OpenServer 6 flagship Unix op- 
erating system has entered for- 
mal beta testing and is expected 
to ship in May. The product, 
code-named Legend, is part of a 
multiyear, multimillion-dollar de- 
velopment effort. The software is 
said to offer performance and 
security enhancements and have 
the ability to integrate with pop- 
ular open-source technologies. 


Verizon Buys 23 
Spectrum Licenses 


Verizon Wireless will pay $102.5 
million to acquire 23 spectrum 
licenses and other assets from 
Leap Wireless International Inc. 
The deal, expected to close by 
midyear, will allow Verizon to ex- 
pand its network into new U.S. 
markets while increasing its 
capacity in existing markets. 





C ON THE MARK 


SIP Tips VoIP 
Into Secure .. . 


... territory. Or so hope vendors hawking voice-over- 
IP products and services. Most suppliers of VoIP 
technology acknowledge the perception that it has 
security holes. But many feel that the Session Ini- 
tiation Protocol (SIP), currently winding its way 


through the Internet 
Engineering Task 
Force’s standards 
process, can help put 
IT managers’ minds at 
ease. Kevin Fecher, 
CEO of OpenAir 
Technologies Inc. in 
Reston, Va., said he 
thinks that VoIP’s se- 
curity problems “are 
overblown.” But, he 
acknowledges, you need to 
plan and deploy your VoIP 
network very carefully to en- 
sure that it’s secure. Fecher, 
whose company installs VoIP 
systems for businesses, says 
the majority of his customers 
currently use the H323 proto- 
col, which 

is far more 
complex to 
manage than 
SIP is. But 
SIP is gaining 
ground, he 
adds. 

SIP’s 
virtues in- 
clude simple 
administra- 
tion and the 
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ability to handle any 
media, says Thom 


O’Connor, a solutions | 
| The software is free, of 

| course — but Plus Three 

| charges between $150,000 


architect at Stalker 
Software Inc., a mes- 
saging technology 


vendor in Mill Valley, | 


Calif. “Once you es- 
tablish a connection, 
you can do anything 
over it,” he says, 
pointing to uses such 
as instant messaging, voice 
communications and e-mail. 
SIP also authenticates end 


| users to ensure, for example, 


that callers or IMers are who 
they say they are. O’Connor 
says that with an IP infra- 
structure, a unified messag- 
ing strategy (“What we've all 
been talking about for 10 
years”) is finally possible. 
John Todd, chief technolo- 
gy officer at VoIP Inc. in Fort 
Lauderdale, Fla., argues that 
VoIP is already secure and 
that there’s no threat of some- 
one tapping into your IP 
phone network. But, he con- 
cedes, vendors “are all wor- 
ried about interception” of 
calls at an Internet service 


‘| Partisan election 


| users of the software 
| will be nonprofit or- 
| ganizations, but he 





| provider’s network 


hub. That’s the only 


| place where calls can 


be snooped, he says. 


tool becomes... 
. .. independent mar- 


| keting product. The 


technology that was 

behind the Democratic Par- 
ty’s record $185 million fund- 
raising effort during last 
year’s political campaign is 
leaving the donkey’s tent for a 


| broader audience. According 
| to Juan Proafio, president of 


New York-based Plus Three 


| LP, his company’s Arcos 4.0 


integrated stack of open- 


| source Web, database and 


messaging technologies will 
become available this week to 


| more than liberal politicians. 
Arcos includes tools to con- 

| duct and manage massive 
e-mail campaigns, and Pro- 

| aio says the new release im- 

proves workflow processes 


and boosts performance to 
handle spikes in Web traffic. 


and $300,000 for setup and 
customization. Acknowledg- 
ing that his side lost 

last fall’s presidential 


| election, Proano 
| nonetheless defends 


Arcos. “We like to 
think that the tech- 


| nology held us close,” 


he says. Proano ex- 
pects the primary 


says companies with large- 
scale e-mail needs can also 


| benefit. He adds that Plus 
| Three might consider selling 
| its services to Republicans 


“on a case-by-case basis.” 


Stop political 

(and other) spam... 

... from reaching your end 
users. Dan Wallace, vice pres- 
ident of marketing at Digi- 
Portal Software Inc. in San- 


Messages 
Arcos 4.0 can 
send per hour. 


CAHILL 
Le ells 
spam defenses. 





www.computerworld.com 


HOT TECHNOLOGY TRENDS, NEW PRODUCT 
NEWS AND INDUSTRY GOSSIP BY MARK HALL 


ford, Fla., says his 
company’s release of 
ChoiceMail Enterprise 
3.0 next week “offers 
an end to the spam 
arms race.” New fea- 
tures include global 
policies that can 
override the antispam 
rules of end users. You 


| can also use ChoiceMail’s ad- 


ministration console to block 


| the IP addresses of spammers 
| instead of doing that at your 


firewall — which is trickier to 


| pull off, Wallace claims. The 
| software costs $65 per user. 


Meanwhile, Postini Inc. has 
taken pity on small and mid- 
size businesses that are del- 


| uged with spam. Redwood 

| City, Calif.-based Postini now 
| offers its antispam service to 

companies with modest inter- 


nal IT support. According to 


| Andrew Lochart, director of 
| product marketing, Postini 

| Small Business Edition sim- 
| plifies the battle against 


spam. For example, he says, 
the configuration process for 


| Postini’s Enterprise Edition 
| takes 15 steps, whereas the 


new release requires just two. 


| It starts at $25 per user annu- 
ally and is available today. 


Des Cahill, CEO of 
Habeas Inc. in Moun- 
tain View, Calif., sug- 
gests that we need to 
rethink our spam de- 
fenses. “The war on 
spam as we've been 
fighting it isn’t work- 
ing,” he says. Habeas’ 
goal is to make mes- 
sage senders prove 
themselves as legiti- 
mate e-mailers. Habeas estab- 
lishes an accreditation and 
reputation score for senders. 
Its namesake technology cre- 
ates profiles of senders’ prac- 


| tices that can be detected by 


antispam tools, such as the 
open-source SpamAssassin 3.1 
software due out next month. 
“We're building the iiber- 
whitelist for the Internet — a 
trust network for e-mail,” 
Cahill says. @ 53213 





What would 


you do with a 
10,000 CPU grid? 
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Introducing the Sun Grid for $1/cpu-hr. 
The network is your computer. 


f you’re paying more than $1/cpu-hr to build and run your own grid, you 
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Data ‘Thefts Prompting 
IT Security Checks 


Stricter rules, 
encryption among 
options considered 


BY LUCAS MEARIAN 
ANK OF America 
Corp.’s loss of credit 
card data on some 
1.2 million customers, 
along with other recent securi- 
ty incidents, has renewed 
interest among some IT execu- 
tives in encrypting data writ- 
ten to backup tapes. But others 
maintain that simply following 
existing data-protection rules 
can prevent such losses. 
Drew West, vice president 
of engineering services at First 





National Bank of Arizona 
in Phoenix, said his bank is 
looking into encrypting the 
data it stores on tape, as well 
as other methods of increasing 
data security. 

“We will be deploying 


additional encryption method- | 


ologies as well as harder au- 
thentication,” West said. 


| “There are quite a bit of re- 
; sources being focused on it.” 


Rich Mogul, an analyst 
at Gartner Inc., said recent 
cases of data loss or identify 
theft through hacking have 
definitely accelerated plans at 
financial services firms to roll 
out greater data-protection 
schemes. 





“There’s a reasonably wide- 
spread use of encryption... as 
well as content-monitoring 
and -filtering tools,” he said. “I 
think it’s the fear factor that’s 
probably driving it more than 
anything else.” 

On the other hand, Scott Jef- 
feries, an independent IT con- 
sultant who works at a large 
Wall Street firm, said that any 
outcry for using complex se- 
curity techniques such as en- 
crypting data on backup tapes 


| has so far been muted because 


there is too much processing 
overhead involved in the tech- 
nology. 

Jefferies, who declined to 
identify his current client, 


Wireless Helps on Homeland 


Security, 


BY MATT HAMBLEN 
NEW ORLEANS 

The wireless technologies 
available to police, fire and 
other emergency workers 
have improved since the 9/11 
terrorist attacks, according to 
a panel of government offi- 
cials and vendor executives 
who spoke at last week’s CTIA 
Wireless 2005 conference. 

But they said during the 
panel discussion and in later 
interviews that much work 
remains to be done to improve 
the interoperability of wire- 
less devices for emergency 
responders and to set up effec- 
tive warning systems in the 
event of another terrorist at- 
tack or a natural disaster. 

The widespread lack of in- 
teroperability among public 
safety networks is one of the 
most serious homeland securi- 
ty shortcomings, panelists 
noted. “It’s going to take time 
to solve that problem, and it’s 
unfortunate,” said moderator 
Christopher Guttman-McCabe, 





assistant vice president for 
regulatory policy and home- 
land security at the CTIA, 

the Washington-based trade 
group that sponsored the con- 
ference here. 

As an example of the dispar- 
ities that now exist, the Ten- 
nessee Valley Authority has 
38 different wireless networks 
used by various personnel, 
said one audience member, a 
communications engineer at 
the TVA who asked not to be 
named. The engineer added 
that 20 of the networks are 


£3 It’s going 
to take time 
to solve [the 
interoperability] 
problem, and it’s 
unfortunate. 
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CHRISTOPHER GUTTMAN-MCCABE, 
ASSISTANT VICE PRESIDENT, CTIA 


l 





but IT Gaps Remain 


now being consolidated into a 
single one based on Nextel 
Communications Inc.’s tech- 
nology. The project with Nex- 


| tel will hopefully simplify a 


complex system, although fur- 
ther consolidation would help, 
he said. 

Some police and fire per- 
sonnel are forced to carry sev- 
eral wireless radios or have to 
yell through bullhorns at 
emergency scenes, said Jim 


| Dailey, director of the office of 


homeland security at the Fed- 
eral Communications Com- 
mission. The problem is politi- 
cal as well as technological, 
Dailey noted; he and other 
panelists said that different ju- 
risdictions in large metropoli- 
tan areas often want to retain 
control of their own networks. 
Metropolitan regions might 
be able to increase coopera- 
tion among cities and towns 
by developing Wi-Fi mesh 
networks for transmitting in- 
formation, said Ron Sege, 
president of Tropos Networks 





Data Security Options | 


= Encrypt data that’s in tran- 
sit or has been archived. 


<< ae 
ing tools to identify propri- 
etary data in e-mail. 


= Review password permis- 
sions, access rolls and 
end-user entitlements. 


| maintained that adherence to 
| existing security processes 
| can oftentimes eliminate or 


mitigate security problems. 
For example, companies need 


| to keep a tighter handle on 


password permissions and 
end-user access privileges to 
prevent theft by disgruntled 
workers or former employees. 
“Things in the news that are 


| huge right now are one-off is- 
| sues. I don’t think they’re sys- 


temic or point to a pattern or a 


| huge hole necessarily,” he said. 


Inc., which has installed out- 
door Wi-Fi routers in more 


| than 125 cities nationwide. 


The problem with using 


| Wi-Fi for emergency purposes 
| is that the networks operate 


in unlicensed radio spectrum, 


| which makes them vulnerable 
| to interference, said Guttman- 
| McCabe. But technologies 


could be developed to prevent 


such vulnerabilities, he added. 


Wireless network operators 


responded quickly to a call 


from President Bush for Wire- 


| less Priority Service capabili- 
| ties after Sept. ll, 2001, said 


John Graves, WPS program di- 
rector for the Department of 
Homeland Security’s National 
Communications System unit. 
WPS lets an emergency re- 


| sponder using a wireless de- 


vice equipped with a special 
code be put at the head of the 
line of wireless calls running 


| over a network, Guttman- 


| McCabe said. @ 53242 


| MORE NEWS ONLINE 


EDS teams up with a consulting firm to 
support mobile virtual network operators 


QuickLink 53246 


BlackBerry users will get access to cor- 
porate apps, instant messaging services: 


QuickLink 53203 
www.computerworld.com 


www.computerworld.com 


Some firms had started en- 
cryption efforts before the re- 
cent data-theft incidents. 

For six months, Boeing Em- 
ployees Credit Union (BECU) 
has been encrypting all data 
| written to backup tapes using 
an appliance from Decru Inc. 
in Redwood City, Calif., in or- 
der to protect against unau- 
thorized access to information 
that is moved off-site. The 
Tukwila, Wash.-based credit 
union uses Iron Mountain Inc. 
| to move 140 tapes every week 
| to a long-term archival site 
| from four main data centers. 


Backup Plans 
| Daniel Chow, IT systems and 
security engineer at BECU, 
said Decru’s DataFort T-Series 
storage security appliance 
adds no latency to his backup 
process. However, it has 
caused the Hewlett-Packard 
| Co. disk arrays it is backing up 
| to need rebooting from time 

to time because HP has yet to 
| certify the DataFort appliance 

with its servers as EMC Corp. 
| and other storage vendors 
| have done. 

“There were technical is- 
sues we had to spend a lot of 
resources to resolve,” Chow 
said. Even so, he said the 
Decru product has been very 
reliable for his daily backups, 
| which involve about 4TB 
of data. 

Chow noted that once back- 
| up tapes leave a data center, 
| officials can never be positive 
of their security. “How confi- 
dent are you that the courier is 
going to get that tape [to its 
destination] and not lose it?” 
he asked. 

Bank of America said late 
last month that it had it noti- 
fied the U.S. Department of 
Defense and the General Ser- 
vices Administration that 
“a few” tapes containing ac- 
count information for cus- 
tomers of the GSA’s SmartPay 
travel cards were missing 
{QuickLink 52928]. Bank of 
| America spokeswoman Alex 
Trower did not return calls 
last week but previously said 
the tapes were part of a larger 
shipment of media to a backup 
data center. She wouldn't say 
whether the tapes were stolen. 


@ 53237 
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BRIEFS 


Ebbers Found Guilty 
Of WorldCom Fraud 


Former WorldCom Inc. CEO 
Bernard Ebbers was found guilty 
on all charges of conspiracy and 
fraud brought against him in con- 
nection with the $11 billion in ac- 
counting misstatements that led 
to the telecommunications giant’s | 
bankruptcy. Ebbers could receive 
85 years in jail when he is sen- 
tenced June 13. Ebbers’ attorney 
said he plans to appeal the verdict. 


IT Manager Gets | 
Sentenced for Hack 


An Orange, Calif., [T manager 
who earlier pleaded guilty to 
hacking into a previous employ- 
er’s computer network has 

been sentenced to five months 

in prison and ordered to pay 
$45,000 in restitution. According 
to a plea agreement, Mark Erfurt 
broke into the computer systems 
of Santa Clara, Calif.-based Man- 
ufacturing Electronic Sales Corp. 
in January 2003. At the time, 
Erfurt was an employee of an 
MESC competitor, Centaur Corp. 


Former Qwest CEO | 
Faces Charges 


The U.S. Securities and Exchange 
Commission has charged former 
Qwest Communications Interna- 
tional Inc. CEO Joseph Nacchio 
with fraud and other securities- 
jaw violations. The commission 
claims that from 1999 to 2002, 
Qwest engaged in a complex 
scheme to improperly record more 
than $3 billion in revenue and ex- 
clude $17.3 million in expenses. 


Akamai Buys 
Rival Speedera 


Content delivery specialist Akamai 
Technologies Inc. last week an- 
nounced that it plans to acquire 
Santa Clara-based rival Speedera 
Networks Inc. in an effort to boost 
its standing against larger man- 
aged-services vendors. The $130 





million stock deal is expected to be 
completed in the second quarter. 


Business Process ‘Tools 
Seen Lifting Profits 


| 
| 
| 
| 
| 
| 
| 


Financial services 
firms look for an 
edge versus rivals 


BY LUCAS MEARIAN 
INANCIAL SERVICES 
firms will be adopting 
business process man- 
agement (BPM) tools 
and techniques at rates out- 
pacing those of other indus- 
tries this year, because the 
efficiencies and cost savings 
they can create are vital in an 
industry quickly losing profit 
margins as products become 
commodities. 

The message hasn’t been 
lost on vendors. For example, 
EMC Corp. in Hopkinton, 
Mass., is updating its BPM 
suite in the latest version of 
the Documentum enterprise 


| content management platform 


set to be unveiled today (see 


| story below). 


The new EMC tool enters a 


| field crowded with offerings 


from suppliers like FileNet 





Corp., Pegasystems Inc., Tibco 
Software Inc. and others. 
Vendors of such tools can 
find significant opportunities 
among banks, brokerages and 
insurance companies, since 
these businesses can run more 


efficiently and boost worker 


productivity by automating 
processes, said Peter Redshaw, 
an analyst at Gartner Inc. 


No Need for Paper 

One of the drivers of BPM 

in financial services is the 
amount of electronic imaging 
for items such as checks, 
mortgages and loan applica- 
tions, Redshaw said, noting 
that Gartner has found that 
BPM is spreading quickly 
among such firms. 

Yet Redshaw said banks are 
moving cautiously for fear of 
exposing sensitive data on the 
Web-based applications. 

The First National Bank of 
Arizona said that by rolling 


| out a BPM tool from Ultimus 


Inc. in Cary, N.C., it was able 





[BPM] saved 
an enormous 


_ amount of produc- 
| tion time. 


| KAREN SCHEER, OPERATIONS AND 
| TECHNOLOGY BUSINESS LIAISON 


FIRST NATIONAL BANK OF ARIZONA 


| to eliminate 20 paper forms 


related to access to selected 
corporate data. 

Previously, the bank used 
numerous paper forms that re- 
quired multiple signatures for 


varying levels of authorization. 


“It saved an enormous 
amount of production time 
having that one-stop shopping 
versus going onto our Web 
sites to locate the forms for 
signatures and then get them 
signed and follow up manual- 
ly,” said Karen Scheer, opera- 
tions and technology business 
liaison at First National in 
Phoenix. 

Scheer said that creating a 


EMC Unveils New Documentum Version 


EMC today is unveiling a new 
version of its Documentum con- 
tent management suite based on 
a new underlying architecture 
that the company says can fully 
integrate individual products in 
the suite. 

Version 5.3 adds a unified ar- 
chitecture that lets each Docu- 
mentum application share the 
same code base, leading some 
analysts to describe the package 
as a true product suite. 

“What's new is that they've 
now pulled together disparate el- 
ements: workflow, rules engines 
and content management. Now 
they have a suite of offerings,” 
said Peter Redshaw, an analyst 
at Gartner. 

EMC is looking for the new 
version, especially its updated 
business process management 


NEW PRODUCT 


EMC Documentum 
Version 5.3 includes: 


= Documentum Client 
for Outlook 


= Documentum Content 
Transformation 
Services 


= Documentum 
Collaboration Services 


= Documentum 
Business Process 
Management 


= Documentum Reten- 
tion Policy Services 


tool set, to increase its standing 

in the financial services industry. 
“Up until now, we couldn't sell 

into insurance, financial applica- 


tions, mortgage processing or 
loans,” said Lubor Ptacek, direc- 
tor of product marketing at 
EMC's Documentum division. 

Documentum’s Business 
Process Manager suite can now 
automate exception handling for 
things such as bounced checks 
or questionable invoices. 

The new version also includes 
collaboration tools that can be 
used to automatically invite ap- 
propriate business users into an 
online Web forum and populate 
that forum with data related to 
that business transaction. Then 
the decision made by business 
users in the forum automatically 
triggers settlement of the excep- 
tion. For example, in the case 
of an invoice, the tools would 
authorize payment. 

~ Lucas Mearian 





centralized database for all in- 


| formation related to requests, 


as well as a central online lo- 
cation for requests and ap- 
provals, simplified manage- 
ment tasks 

By definition, automating 
manual processes improves 
customer service, Redshaw 
said. “Automating things done 
manually on paper makes 
things faster, and customer 
service looks better — like 


| processing a loan application 


in six days instead of six 


| weeks,” she said. 


Regulations Compliance 
Sumitomo Mitsui Banking 
Corp. in Tokyo used the 
e-Work BPM tool from Meta- 
storm Inc. in Columbia, Md., 
to facilitate worldwide Basel II 
and USA Patriot Act compli- 


| ance. Rise Zaiser, vice presi- 


dent of business applications 
at Sumitomo Mitsui Bank, 
said it cost the company less 
than $500,000 to set up the 
system at a data center in 
New York. 

The system automates the 


| process of performing back- 


ground checks on new bank- 
ing customers through the 
U.S. Department of the Trea- 
sury’s Office of Foreign Assets 
Control, Zaiser said. 

Metastorm’s e-Work plat- 
form also allowed the bank to 
create a globally accessible 
system for tracking customer 
activity while interfacing with 
multiple systems to decrease 
manual input and improve 
data accuracy for Basel II, 
which regulates the amount 
of cash reserves a bank must 
have. 

“Tt enabled us to not only 
set up standardized processes 
to capture information, [but] 
we can also change the op- 
tions people have for filling in 


| [data] fields depending where 


they are in the world. For ex- 
ample, a ZIP code is a term 
used in the U.S., and a postal 
code is used in the rest of 
world,” Zaiser said. 

Many of the processes at the 
bank had previously been per- 
formed manually, requiring 
personnel to stamp or sign 
forms and then send them to 
other employees for approval. 


@ 53250 
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res May Derail 
U.K. Biometric ID Card 


LONDON 
ACING LIKELY DEFEAT in the 

of Lords this week, legisla- 
tion to create a national identity 

card program is expected to be shelved 

by U.K. government officials until after 

the next general election. 

The Identity Cards Bill would create 
by 2010 a system of ID cards with em- 
bedded chips that carry personal infor- 
mation and biometric identifiers, all 
stored in a massive database called the 
National Identification Register. But 
government ministers, who expect stiff 
resistance in the House of Lords, re- 
portedly plan to table the bill and rein- 
troduce it sometime after the 
May election. 

The Identity Cards Bill 
was approved by the 
House of Commons in 
February. Prime Minister 
Tony Blair has insisted 
that the ID cards are 
needed to fight identity 
fraud, illegal immigration, 
terrorism and improper 
use of the National Health 
System. But critics of the 
bill have said that the ID 





GLOBAL FACT 


Percentage of European 
IT managers who fear 
they will lose their job 

after a security breach. 


An International 
IT News Digest 


cards would be a violation of privacy 
rights and that the biometric tests 
would incorrectly identify individuals 
10% to 15% of the time. 

m LAURA ROHDE, IDG NEWS SERVICE 


Perot Plans Acquisitions 
To Boost Global Reach 


BANGALORE, INDIA 
EROT SYSTEMS CorRP., an IT and 
Pisin process outsourcing 
vendor based in Plano, Texas, 
plans acquisitions in India, Eastern 
Europe, Russia, China and Mexico to 


| meet customer demands, Chairman 


Ross Perot Jr. told reporters here 
last week. 

“We do follow our customers, and 
we have customers who are now in 
Eastern Europe and China, and they 

are asking us to continue 


which we will do,” Perot 
said. “We also have 
clients who are jooking at 
Mexico and the rest of 
South America, and we 
need to build up capacity 
there, too.” 

Perot was in India for 
the company’s board 
meeting, which was held 


to build capabilities there, 





for the first time in the country to 
underscore its importance in the 
company’s strategy. About 4,500 of 
Perot’s 15,000 employees are in India. 
w JOHN RIBEIRO, IDG NEWS SERVICE 


Bank in South Africa 
Adds Cell Phone Access 


JOHANNESBURG 

IRST NATIONAL BANK of South 
Pe siscs a unit of FirstRand Bank 

Ltd., recently launched cell- 
phone-based banking for customers, 
including those in rural and under- 
served areas where wireless phones 
are common but automated teller ma- 
chines are not. 

Cell phone users register for the ser- 
vice and send text via Short Message 
Service to a five-digit number. To get 
an account balance, for example, the 
customer sends a message reading 
“balance” to phone number 31321. The 
bank then requires a personal identifi- 
cation number before providing the re- 
quested information or transaction. 

The fee-based service offers only 
basic functions, according to the bank, 
such as the ability to obtain a mini- 
statement of the past three transac- 
tions, get account balances and trans- 
fer money between a customer’s First 
National accounts. @ 53211 
m NICOLAS CALLEGARI, 

COMPUTING SOUTH AFRICA 
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Briefly Noted 


South Korea’s government recent- 
ly complained that Microsoft 
Corp.'s software prices can be 
three times higher in South Korea 
than in the U.S. A government re- 
port said, for example, that Micro- 
soft SQL Server 2000 Enterprise 
for 25 clients costs 18 million won 
in Korea - the equivalent of 
$17,930 U.S. - but costs $4,790 in 
the U.S. A spokesman for Seoul- 
based Microsoft Korea said that 
prices are set by retailers. 

mw SEUNG EUN MYUNG, 

IT WORLD KOREA 


Vodafone Group PLC, a wireless 
operator based in Newbury, U.K., 
will add 5.7 million customers in 
Eastern Europe with last week’s 
$3.5 billion acquisition of the Ro- 
manian and Czech units of Telesys- 
tem International Wireless Inc., 
which is based in Montreal. 

mw LAURA ROHDE, IDG NEWS SERVICE 


Microsoft said last week that its 
stripped-down Windows XP Starter 
Edition will be launched in India in 
June, initially in the Hindu E 
mw JOHN RIBEIRO, IDG NEWS SERVICE 


Buyout Wave 
Into Deals With Big Vendors 


Users anticipate potential benefits of 
increased efficiencies and lower costs 


Pushes ASPs 





BY PATRICK THIBODEAU 
About a month ago, Mumbai, 
India-based Mphasis BFL Ltd. 
contacted Victor Rodriguez, 
CIO at Carolina Care Plan 
Inc., to discuss its business 
process outsourcing (BPO) 
services. Mphasis officials also 
asked Rodriguez about Eldora- 
do Computing Inc., which 
provides the health benefits 
management system used by 
the Columbia, S.C., company. 
It was the first time Rod- 
riguez had heard from Mpha- 
sis, and he suspected that the 
call was part of an effort to 
feel out Eldorado’s customers 


about a potential partnership 
between the two companies. 
But it turns out there was 
more to the call than that. 

Last week, Mphasis an- 
nounced that it has agreed to 
purchase Phoenix-based Eldo- 
rado for $16.5 million. Al- 
though it is a relatively small 
deal, the acquisition is none- 
theless part of an accelerating 
merger trend in which large 
IT services vendors are buy- 
ing application service pro- 
viders (ASP). 

Rodriguez said that at least 
in the case of the Mphasis/ 
Eldorado deal, he sees poten- 








tial benefits for users like him. 
“We have the possibility for 
Mphasis and Eldorado to 
leverage a partnership and 
bring a more cost-effective 
organization,” he said. 

Carolina Care uses Eldora- 
do’s Healthware ASP service 
for its core benefits manage- 
ment application, and the 
company outsources its claims 
processing work to a separate 
BPO vendor. Bringing those 
two activities together under 
one vendor may bring some 
efficiencies and lower costs, 
Rodriguez said. 

He added that he will close- 
ly monitor Eldorado’s perfor- 
mance and that he thinks its 
service levels “may take a hit” 
as the details of the planned 
acquisition are ironed out. But 
Rodriguez said he doesn’t an- 
ticipate any major problems 
with the ASP. 

In a related development, 





IBM last week said it had com- 
pleted a $182 million acquisi- 
tion of Corio Inc., a San Car- 
los, Calif.-based company that 
deploys and manages ERP and 
CRM applications. IBM plans 
to use Corio’s operations to 
broaden the application ser- 
vices portfolio offered by its 
Global Services unit. 

And in January, Sun Micro- 
systems Inc. bought Seven- 
Space Inc., an Ashburn, Va.- 
based managed services firm 
that remotely supports enter- 
prise applications and other 
technologies on systems from 
Sun and rival vendors. 


Checking the Pulse 


ASP customers should “do a 
pulse check on that relation- 
ship,” said Meta Group Inc. 
analyst Dane Anderson, who 
recommended that IT man- 
agers review their service- 
level agreements and consider 








preparing contingency plans 
in light of the recent acquisi- 
tion activity. 

Joseph Sorisi, CIO at Plat- 
form Learning Inc., a New 
York-based company that pro- 
vides tutoring services to 
some 50,000 students around 
the U.S., said that even in a sit- 
uation where an IT vendor 
buys an ASP and wants to 
move its offerings to a differ- 
ent hardware platform, users 
should still have some power 
under their contracts. “The 
customer has control over the 
timelines,” Sorisi said. 

Platform Learning has used 
hosted software from Nsite 
Inc. in Pleasanton, Calif., to au- 
tomate many of its paper-based 
business processes. Sorisi said 
the ASP model has saved him 
from having to hire new IT 
staffers and to invest in main- 
taining and supporting appli- 
cations internally. @ 53255 
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Continued from page 1 


BI Tools 


ager at Briggs & Stratton. 
“Show me those things that 
are within my area that are not 
within norms or... are head- 
ing for a collision course.” 

For example, the portal can 
alert accountants that correct 
accounting procedures are 
not in place to handle orders 
as a new engine is set to be 
shipped, Felsing said. Before 
the BI was embedded in its 
processes, the company would 
have to take orders out of the 
system, re-enter the correct ac- 
counting information and then 
re-enter orders the next day to 
ensure that the products would 
ship correctly, he explained. 


Growing Market 
SAS, Information Builders and 
Cognos are among a growing 
number of vendors making a 
push into operational BI, said 
Keith Gile, an analyst at For- 
rester Research Inc. 
“Businesses want to get 
more value out of all of the 





NEW PRODUCT 


New features include: 


data, not just the data ware- 
house. Many of the real-time 
decisions that need to be 
made must be made while the 
process is happening, like 
while the customer is on the 
phone or when the patient is 
being treated,” Gile said. 

Jew York-based Information 
Builders earlier this month un- 
veiled WebFocus 7, a BI tool set 
geared toward providing oper- 


Group Seeks Portfolio 
Management Answers 


IT managers hope 
to gain insights 
on cultural issues 


BY THOMAS HOFFMAN 
IT managers from AAA, Visa, 
The Boeing Co. and other 
companies today will hold the 
inaugural meeting of an asso- 
ciation looking to exchange 
ideas and best practices for IT 
portfolio management. 

The organization, known 
as the Portfolio Management 
Council, is being spearheaded 
by San Retna, chief portfolio 
officer at San Francisco-based 
AAA of Northern California, 
Utah and Nevada. The gene- 
sis of the group, said Retna, 
comes from the need for IT 
portfolio managers to be able 
to dive into the “nuts and 
bolts” of portfolio manage- 
ment strategies and chal- 
lenges. 





For instance, said Retna, at 
industry conferences, IT port- 
folio management discussions 
tend to take a high-level view 
of the issues. In contrast, he 
and other members of the 
council, which also includes 
representatives from Safeway 
Inc. and Washington Mutual 
Inc., plan to explore more day- 
to-day challenges. That could 
include discussions of how 
portfolio management prac- 
tices can affect staffing, and 
dealing with the cultural as- 


| pects of putting an IT gover- 


nance committee into place, 
for example. 

“Some organizations have 
been able to make the cultural 
changes necessary to put gov- 
ernance councils in place,” 
said Retna. “What can we 
learn from them?” 

Dana Gardner, an analyst at 
The Yankee Group in Boston 
and a member of the council, 





NEWS _ 


ational BI. It includes native 
access to more than 200 data 
sources through integration 
adapters from the vendor’s 
iWay Software subsidiary. 
Information Builders and 
iWay have historically market- 
ed their products separately, 
but they are now integrating 
iWay’s integration and meta- 


; data management tools into 


WebFocus 7 to meet a growing 
market for operational BI, said 
Michael Corcoran, vice presi- 
dent of Information Builders. 
Scheduled to ship next 
month, WebFocus 7 will pro- 
vide access to relational and 
legacy data, data from enter- 
prise applications and data 
warehouses, and data from op- 
erational systems, he said. 
Montreal-based Pharma- 


| science Inc., a beta user of 
| WebFocus 7, is hoping that the 


new integration features will 
help the pharmaceutical com- 


| pany better manage inventory, 


said Jonathan Despres, mana- 
ger of information access. 
Now, inventory information 
can be delayed by as much as 
a week, Despres said. Linking 


| said he anticipates that the 


group will broaden IT man- 
agers’ understanding about 
how IT and business objec- 
tives can be better aligned. 
“The goals are to raise the 
consciousness of enterprises 
to some of these issues and 
build some discussion around 
how to get started,” said Gard- 


AT A GLANCE 


Portfolio 
ETE ater 
Council 


A newly created asso- 
ciation whose members (pre- 
dominantly IT managers) will 
MCR ese eee ey 
and share ideas on IT portfolio 

anagement strategies. 
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WebFocus 7 to the company’s 
SAP data warehouse — a goal 
of the firm — would allow in- 


| ventory information to be in- 
| cluded in product warehouse 


businesses process, he said. 
“If [users] get information de- 
layed by a week, it’s almost 


| impossible to reduce the in- 


ventory level,” he said. 
Alaska Airlines Inc. in the 
past two months has begun 
deploying business analytics 
tools from Siebel Systems Inc. 
in its marketing organization. 
The tools will be integrated 
with Alaska Air’s customer 
management system and will 
incorporate data from Sabre 
Holdings Corp.’s Sabre reser- 


| vations system, said James 


Archuleta, director of CRM at 
the Seattle-based airline. 

The Siebel tools will enable 
Alaska Air to tie together loy- 
alty program and flight-sched- 
uling databases with a meta- 
data layer from the Siebel tech- 
nology. Call center representa- 


| tives will then have updated 


customer information in their 


| desktop applications, said 
| Archuleta. @ 53247 


ner. “It’s one thing to have a 
vision and have an end goal; 
it’s another thing to put it into 
practice.” 

Gardner said that this is the 
first IT portfolio management 
user group he’s aware of that 
isn’t being driven by a vendor, 
a trade group or a market re- 
search firm. 

Retna said the group in- 
tends to tackle four specific 
areas over the next six to 12 
months: determining whether 
an IT organization has invest- 
ed in the most-effective IT 
projects; has the capacity and 
resources to execute on those 
projects; has the ability to ad- 
dress the change management 
aspects associated with IT 
portfolio management; and 
can judge whether IT projects 
are delivering their anticipat- 
ed returns. 

Retna said the group’s mem- 
bers plan to discuss in San 
Francisco this week some of 
the logistics for the organiza- 
tion, including the naming of 
officers and how often they in- 
tend to meet. @ 53235 
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Group Offers 


'Sarb-Ox 


Certification 
Program 


Courses target IT; 
finance personnel 


BY THOMAS HOFFMAN 


An online community for 


Sarbanes-Oxley practitioners 
last week introduced a set of 
certification courses aimed at 
determining the proficiencies 
of IT and accounting profes- 
sionals around the congres- 
sional regulatory mandate. 

The Clifton, N.J.-based 
Sarbanes Oxley Group of 
Auditors and Professionals, 
known as SOXGAP, is plan- 
ning to hold two training 
workshops in New York, 
on April 2 and 3. 

The first course, called 


| SOXBase, requires that par- 


ticipants pass a qualifying 
exam that tests their funda- 
mental understanding of the 
Sarbanes-Oxley Act of 2002, 
said Sanjay Anand, chairman 
of the group, which was 
founded in 2003. A second 


| course, called SOXPro, re- 


quires that candidates already 
have Sarbanes-Oxley experi- 
ence and proficiencies. 

The courses are offered to 
auditors and nonauditing pro- 


| fessionals, including workers 


from human resources, legal, 
ethics and other departments 
who are or expect to become 
involved in Sarbanes-Oxley- 
related compliance efforts, 
according to Anand. 

Anand said the group is 
trying to keep the class size 
at about 12 to 15 people in 
order to maintain an accept- 


| able student-to-teacher ratio 


and to encourage classroom 
interaction. 

The cost of the two-day 
class is $2,295. 

A second set of classes is 
being planned for Los Angeles 
in late October, said Anand. 
Meanwhile, courses may be 
added for other U.S. cities 
this summer based on de- 


mand, he said. @ 53241 
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IT Leaves Tax Savings out of the Equation 


BY THOMAS HOFFMAN L »rporations fail to include 
Though IT managers continue | tax departments in IT procure- 
to be under enormous pressure | ment decision-making, accord- 


i ir clvas : 
s, more than 70% of | ing toasurvey of more than 


| 200 IT and finance executives 


ing and IDC. 


to cut cos Raffi Markarian, a principal 


| conducted by Deloitte Consult- 


| with Deloitte Tax LLP’s ERP 
| Chicago, last week discussed 
| with Computerworld what 

| steps IT organizations can 


| take to recognize potential tax 


| savings. 


THE BEST IT PROBLEMS ARE THE ONES THAT NEVER HAPPEN.. 
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Integration Services practice in 


Why is the tax function so often 


| overlooked during the IT procure- 


ment process? There appears to 


| be a gap between corporate 
| departments, particularly be- 


tween [the IT and tax depart- 


| ments]. Global 2,000 [compa- 
| nies’] tax departments gener- 


ally report up to the CFO 
function, and IT is a different 
organization in the company, 
and the two just don’t cross 
paths, which is unfortunate. 


As CFOs are more actively in- 
volved in IT investment decisions, 
shouldn’t they be aware of the 
need to include tax in such dis- 
cussions? They 

should, and I’m 

hoping that recent 

trends of more ac- 

tive CFO involve- 

ment bodes well. 

CFO involvement 

seems to be a two- 

pronged approach. 

[First], the 

tively involved in control and 
Sarbanes-Oxley issues. The 
second prong is an insistence 
on return-on-investment and 


| payback scenar 


Do most IT purchases by corpora- 
tions qualify for federal or state 
R&D tax credits? R&D is just 
one aspect of many different 
items. I would say that it’s 
probably not a majority but a 
minority of investments. 


What type of investments do qual- 
ify for such credits? Generally, 
IT investments that involve 
more-sophisticated and novel 
approaches, such as RFID as 
an example. Things that are 
not as ordinary. 


What recommendations would 
you make to IT procurement offi- 
cers? To include tax in some 
shape or form in the decision- 
making process. To include tax 
considerations as early as pos- 
sible. Then to ensure that ap- 
propriate tax representatives 
are involved through the life 
cycle of that project implemen- 
tation. It’s a cause-and-effect 
kind of thing. Many folks on 
the IT side aren’t aware that 
every transaction that flows 
through an IT system has a tax 
implication somewhere along 


the line. @ 53214 
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DON TENNANT 


An Awkward Position 


HIS IS COMING to you from a creepily 
dark, scarily tiny guest room at the W 
Hotel in Manhattan. The dark creepi- 
ness is apparently supposed to be very 
chic and avant-garde, but it doesn’t do 


much for me other than 
give me the willies. 
I’m in town to attend 
the 51st annual Jesse H. 
Neal National Business 
Journalism Awards lun- 
cheon because Comput- 
erworld was a finalist for 
one of these prestigious 
awards. Having just re- 
cently returned from the 
Premier 100 IT Leaders 
Conference, where 100 
of your peers were hon- 
ored for their contributions to your 
profession, it was cool to feel a 
resurgence of that rush you get from 
seeing hard work, dedication and 
talent acknowledged and rewarded. 
I couldn’t help but compare the 
two award ceremonies and the pro- 
fessions they honor. I’m sure I was 
as struck as anyone at the P100 con- 
ference by discussions of the some- 
times overwhelming challenges that 
the P100 honorees in general, and 
the Best in Class award winners in 
particular, have had to overcome in 
the course of doing their jobs. IT is, 
to be sure, a very tough and de- 
manding profession. 
As IT journalists, we do our best 
to imagine walking in your shoes 
sO we can gain an appreciation for 
what keeps you awake at night. But 
what do you suppose keeps an IT 
journalist awake at night? Besides 
the night sweats stemming from be- 
ing cooped up in a claustrophobic 
but oh-so-chic hotel room, I mean. 
Sure, there are the constantly 
looming deadlines, but your profes- 
sion has those as well. I’ve found 
that a real challenge of this job is be- 
ing in a position in which you have 
to publicize people’s transgressions. 








Think about it. That’s a 
fairly awkward, uncom- 


fortable position to be in. 


You don’t have to be a 
religious or moral zealot 
to recognize that there’s 
something to be said for 
that admonishment 
about casting the first 
stone. I’ll be honest and 
say that Barry Bonds, 
the baseball player, 
touched a nerve at that 
press conference last 

month when he lashed out at jour- 
nalists who were hounding him 


| ; : 
about his use of steroids. 


“All of you guys have lied,” he told 
them. “Should you have an asterisk 
behind your name?” 

It was a legitimate question. The 
fact is, there’s not a journalist (or an 
IT professional or anyone else) who 
hasn’t done something that in hind- 
sight he wishes he hadn’t done and 
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that he’d be very happy not to have 
publicized. That’s just a simple fact 
of life. Yet we publicize other peo- 

ple’s wrongdoings all the time. 

As I write this, there’s a story just 
hours old on our Web site about the 
transgressions of Bernie Ebbers, the 
former WorldCom CEO who was 
found guilty of fraud and conspiracy 
(QuickLink a5590]. And another one 
about Joseph Nacchio, the former 


| Qwest Communications CEO who, 
| according to the SEC, engaged in 


fraud as well [QuickLink 53207]. 
Those are important developments 
that you need to be aware of. But I'll 


| have to leave it to the journalism 


ethics professors to explain why it’s 
not hypocritical for us to run those 
stories while not wanting our own 


| goof-ups to be publicized. I’m not 


sure I have a good answer. 

Which is not to say I’m not per- 
fectly happy to publicize the offense 
of charging $269 a night for a walk- 
in closet with a bed, a TV and a desk 
with a dim light. And who ever heard 


of naming a hotel “W”? Now that’s a 


transgression. @ 53216 





Changing IT’s 
Rep Through 
Small Talk 


JUST SAW another one of 
those commercials that 


make fun of the unprofes- 
sional IT worker. I’m sure you've seen 
this one: The Suit comes into the 
Techie’s work area and asks if some- 
thing can be done by Tuesday, to 
which the Techie responds unprofes- 
sionally. The Suit offers to negotiate 
for the Techie, and the Techie snaps to 
and says he’ll call a vendor, the com- 
mercial’s sponsor. The Suit is left con- 
fused, the Techie gloating, and the 
Sponsor looking great. 

And IT workers everywhere are left 
with an image problem. 

This month, we also heard from 
Gartner that CIOs are the lowest of 
the C-level executives, with a record 
number of CIOs reporting to non- 
CEO-level managers. 

Meanwhile, our trade 

magazines are filled 

with IT managers 

bemoaning how mis- 

erable it is to be in 

the profession. If you 

get a chance to read 

magazines aimed at 

other C-level posi- 

tions, you'll find that 

they present a much 

more positive out- 

look to their readers. 

What is it that makes 

the difference? I 

know that most of us act like profes- 
sionals, and for the most part we like 
our jobs. But like trial lawyers, we have 
a stereotypical reputation that is dam- 
aging to our profession. 

I believe this is the best time to be 
in IT. Technology is everywhere, and 
there are more opportunities than ever 
before. The challenge is finding them. 

I came across a great article by 
Susan RoAne titled “How to Create 
Your Own Luck: The “You Never 
Know’ Approach for Turning Seren- 
dipity into Success.” RoAne is a speak- 
er whose specialty is motivating peo- 
ple to mingle. Don’t laugh; I'll explain 
why this is an important skill. She has 
spoken at Oracle, Autodesk and other 
technical and engineering companies. 

She lists 10 behaviors for creating 
your own luck; here are a few that 





www.computerworld.com 


I have found the most challenging. 
lhe first and second behaviors are 
to be open and positive and to observe 

people who are open, imitating their 
behaviors, including both what they 
say and don’t say. Open doesn’t mean 
blabbing company secrets. It means 
using positive storytelling as a way to 
motivate, connect and share experi- 
ences with staff, peers and colleagues. 
When I first tried this, I found it ex- 
tremely difficult. It was so much easier 
to be ironic. 

Another behavior is to make small 
talk. RoAne notes that through small 
talk, we find out about areas of com- 
monality, which form connections that 
in turn form business relationships. 
When RoAne and I spoke last week, 
she shared a story about two Boeing 
engineers who worked together for 
nine years before finding out that they 
lived in the same neighborhood. Too 
often, we concentrate on the work at 
hand and miss opportunities to learn 
about one another. I wonder how 
much more we could communicate if 
we used those few minutes before or 
after a meeting to find out how the 
business owner’s weekend was or 
whether he has children. 

I'll leave you to read the rest of 
RoAne’s article at www.susanroane. 


com. Even if you don’t agree with all of | 


her recommendations, try one or two 
that you don’t normally do and see 
whether it makes a difference. I’m not 
sure this is the answer, but I do know 
that we need to improve our reputa- 
tion and create our own opportunities. 


@ 53147 
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In Mobile 
Computing, 
Size Matters 


ONVENTIONAL wis- 
dom about mobile 


computing says that 

end users are willing to carry only one 
device. This belief has led vendors to 
race to create the perfect single prod- 
uct. The problem with converged de- 
vices, though, is that they require com- 
promises on functionality, and in fact 
the single-device notion is more myth 
than reality. 

Based on a recent JupiterResearch 
consumer survey, we know that while 
users prefer to carry only one device 


OPINION 


when that is possible, they 
are actually willing to carry 
up to three, based on con- 
textual circumstance. But 
there’s more to the story 
than that; size is critical, 
and that’s why it’s impor- 
tant to break down the form 
factors for mobile devices 
into four categories. If 
you're making decisions 
about purchasing mobile 
technology for end users, 
you must keep these four 
categories in mind. 

® Devices that require an ad- 
ditional case. Any device that 
requires its own case, like a 
projector or large laptop 
computer, means end users 
must carry a significantly 
larger load, in terms of both 
bulk and weight. Because 
users must make a concerted effort to 
carry such a device, they will do so 
only when they need the dedicated 
functionality. 

® Devices that are cased with other de- 
vices. These are things that fit into a 
case that the user is already taking 
along. If a user is already carrying a 
bag that holds a laptop, taking several 
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smaller items (such as a 
BlackBerry and cell phone) 
in the same bag requires 
little extra effort. 

@ Pocketable devices. These 
devices are carried inde- 
pendently, on the person. 
There's a stark line of de- 
marcation between this 
category and the two al- 
ready discussed. A lot of 
things can go into a laptop 
case, but there are only so 
many items that can be car- 
ried on the person. As a 
rule, pocketable devices are 
worn on the person and are 
noticeable. As each device 
is added to the mix, bulk 
and weight grow signifi- 
cantly. As a result, our re- 
search tells us that most 
users will not carry more 
than three devices on their person, and 
two devices is the sweet spot. 

@ Invisible devices. This is the most in- 
teresting category. Users do not hesi- 
tate to carry devices that they perceive 


| as invisible. Watches, wallets and keys 
all fall into this category. Increasingly, 
| cell phones that are small and light- 

| weight are being perceived by those 


| implement a method whereby 
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who carry them as invisible as well 
What all this means is that vendors 
are racing in the wrong direction to 
meet a user need that isn’t there. For 
example, reducing functionality in the 
interest of making a device smaller is 
foolish if the device isn’t made pock- 
etable. Likewise, increasing functional- 
ity while losing the ability to be carried 
ubiquitously can be wrong as well. IT 
departments need to be careful when 
selecting devices for end users, and 
form and function need to go hand in 
hand. At the same time, users shouldn’t 
try to sacrifice functionality for the 
sake of device size. Trying to replace 
your laptop with a BlackBerry or Treo 
might be feasible on a day trip, but if 
you're going for a week and need to 
update your five-year sales projec- 
tions, take a real computer with you. 
How many devices do you carry 
on your person and in your bag when 
you're on the road? In a future column, 
I'll publish an updated list of the most 
popular things people take with them 


and why. @ 53070 
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lash. Safeguards such as the ability 





Looking for the IT Leaders of Tomorrow 


| skilled technologists can effectively 


AM A RECENT MBA graduate 

from the University of Michigan 
Ross School of Business. | often 
saw top firms visit campus to recruit 
students for leadership rotational 
programs in areas such as finance, 
marketing and strategy. However, 
only a handful of firms came to re- 
cruit MBA students for positions in 
IT. When | last looked, there were at 
least 245 leadership rotational pro- 
grams for graduating MBA students 
among large U.S. companies, but 
only 10 of these programs were IT- 
focused. 

In his “Masters of Frustration” 
editorial [{QuickLink 52643], Don 
Tennant mentioned that he often 
hears IT executives complain that 
universities aren't graduating 
enough students with both IT and 
management skills. When | talk to 
faculty who teach technology cours- | 
es at the B-school, | often hear them | 
complain that companies don't val- | 
ue technology skills in graduating 
MBA students and hence there isn’t 
sufficient interest in technology 
courses. Today, IT is the central ner- 


| lored to the needs of large IT ven- 

| dors such as IBM and Oracle. It of- 

| fers a program that combines busi- 

| ness and IT instruction from the stu- 
dents’ freshman year on. | believe 

| that this model is more likely to pro- | 


| MBA programs. 
| Scott Peterson 


| lieving that educators are to blame 


vous system of many organizations. | 


As organizations understand this | 
and understand the value of having 
MBAs in the IT department, we will 
move closer to the day when CEOs 
come from the IT function. 

Don Tauro 

Ann Arbor, Mich. 


IMAGINE YOU have heard of 


Northface University in Utah. Its 
business is producing graduates tai- 


duce what the industry is looking for 
than changes made by traditional 
Sandy, Utah 


ON TENNANT has sided 
completely with industry in be- 


for the lack of IT managers. This is 





bull. Time and again, industry fails to 


move into management through ed- 
ucational initiatives. Yes, quite a few 
of the “poster children” companies 


| have effective programs, but most 
| don't. |am now in an industry that 


values knowledge: education 
Brian Nelson 

Systems administrator, 
Richardson, Texas 


Patients’ Rights 


YM GILHOOLY’S article re- 

garding electronic health 
records [“Rx for Better Health 
Care,” QuickLink 51989] doesn't 


| make much mention of what | be- 


lieve is the largest stumbling block 
of all: medical data ownership. Pa- 
tients are able to access “their” 

records only at the approval of the 


| provider. The benefits to be gained 


from either full interoperability or 
actual records consolidation are im- | 
mense, but as the public becomes 


| aware of such issues as the effect 


their comprehensive record can 
have on their insurance or their fu- 


; | 
ture care, there will likelybe back- | 


for patients to review and amend 
their records will have to be bal- 
anced against the ability of pro- 
viders to honestly and accurately re- 
port not only objective test results, 
but also subjective observations that 
aren't always available to patients 
today. Another issue that will have 
to be addressed sooner rather than 
later is the ability to easily strip iden- 
tification data from records to en- 
able medical researchers to benefit 
as well. 

Dave Kristof 

San Antonio 


COMPUTERWORLD welcomes 
comments from its readers. Letters 
will be edited for brevity and clarity 
They should be addressed to 
Jamie Eckle, letters editor, Com- 
puterworld, PO Box 9171, 1 Speen 
Street, Framingham, Mass. 01701. 
Fax: (508) 879-4843. E-mail 
letters@computerworld.com 
Include an address and phone 
number for immediate verification. 


For more letters on these and 
other topics, go to 
www.computerworld.com/letters 
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INTRODUCTION 


Security 
In Business 
Context 


ECURITY Bru 

Schneier, in his excellent 

book Beyond Fear (Coperni- 

cus Books, 2003), notes that 

U.S. cybersecurity officials 

ve tried to get American CEOs who 

are in charge of critical facilities 
(such as nuclear power plants) to 
spend big bucks on security, for the 
good of national security. The appeal 
to patriotism hasn’t worked. “If the 
CEO of a major company announced 
that he was going to reduce corporate 
earnings by 25% to improve security 
for the good of the nation, he would 
almost certainly be fired,” Scheneier 
says. And rightly so. “Sure, the corpo- 
ration has to be concerned about na- 
tional security,” Schneier writes, “but 
only to the point where its cost is not 
substantial.” 

The point is that security is a bal- 
ancing act. We all know there can 
never be perfect security, < 
would be unaffordable if it were 
possible. 

We can make our systems com- 
pletely secure only at the expense of 
infinite cost ¢ 
other security 
William Hu 
completely secure if we unplug them. 
They will be completely secure if 
they have no users or uses. They will 
be more secure if we do not connect 
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them to a network.” 

Of course, the opposite is true. We 
have more users — including outside 
trading partners in the supply chain 

and more connections to the wide- 
open Internet and wireless networks. 

And the problem isn’t imaginary or 
hype. In a recent survey of 163 large 
U.S. organizations by Ponemon Insti- 
tute in Tuscon, Ariz., 122 (or 75%) re- 
ported a data security breach in the 
past 12 months. In many cases, the re- 
sult was a leak of customer informa- 
tion, employee information or con 
dential business information. 


Tops on the Agenda 
Fortunately, security has rocketed to 
the top of the corporate IT agenda. 
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Almost every survey shows that it is 
No. 1 on the list of IT concerns and 
high-priority spending plans. In part, 
this is because of virus outbreaks 
such as Blaster and Slammer in 2003, 
the worst year of malicious code out- 
breaks in the 20-year history of com- 
puter viruses. 

The greatest barrier to effective 
security is an inadequate budget, 
according to a study by Pricewater- 
houseCoopers and CIO magazine. 
Prior to the 2003 virus outbreaks, 
security budgets had been flat, but 
many IT organizations report more 
security spending since then. Inter- 
estingly, those organizations that ex- 
hibit the best practices in IT security 
management tend to allocate a bigger 
portion of their budget to information 
security (14%, compared to 11% for 
other respondents), the Pricewater- 
houseCoopers study finds. 

Regulatory compliance is causing a 
lot of security activity, too. Of 229 U.S 
organizations surveyed by Enterprise 
Strategy Group In % say regulato- 
ry compliance is behind the increase 
in security investment. (But only 32% 
of the companies are very confident 
they would pass the IT security por- 
tion of an audit. 

“Governance and compliance is- 
sues are still driving the need for in- 
formation security, with some of the 
budget coming from compliance ini- 
tiatives reiated to Sarbanes-Oxle 
[Act compliance],” says Joe Duffy, 
partner at PricewaterhouseCoopers. 

The “best practice” organizations 
also adopt a long-term view of securi- 
ty investment, versus a one-year-at-a- 
time planning cycle, according to the 
PricewaterhouseCoopers and CIO 
study. Moreover, best practice compa- 
nies were more apt to engage the 
business units in decision-making 
about security. 


The Security Imperative 

So what’s the “security imperative” in 
the title of this report? We have to try 
hard to protect the company’s infor- 
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Which types of network security products do you plan to buy in the next 12 months? 
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mation assets, but without bankrupt- 
ing the company or making its sys- 
tems unusable. 

In other words, the goal is security 
in business context. As security ex- 
pert Donn B. Parker put it in his book 
Fighting Computer Crime John Wiley 
& Sons, 1998): “Business has no pa- 
tience for excessive, impractical secu- 
rity advice.” 
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es with more than 100 employees; multiple responses allowed 


That's why this report is full of 


peer-tested strategies and tips for im- 


proving security in business. In the 
first section, it covers the following 
topics: 

g How to outsource security to 
managed security services providers 
— and what questions to ask before 
you do. 

# How to implement an identity 


“The Security Imperative,” offers dozens of tips and 
strategies for protecting your business from internal and 
external threats. IT managers tell you how to (safely) out- 
source security functions, implement identity manage- 
ment, plug instant-messaging gaps and even get a bigger 
security budget from the CFO! Plus, you'll get tactics for 
securing telecommuters, who could be your company's 


weakest security link! 


FREE DOWNLOAD: “The Security Imperative” 
For a limited time, get this full report 

(a $195 value) for free, compliments of Cisco. 
www.computerworld.com/securitybriefing 
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Introduction 


management program. 

w How to protect your corporate 
systems from remote-access points 
such as telecommuters. 

# How to thwart insider abuse and 
plug the security gaps caused by in- 
stant messaging. 

Perhaps most important is the sub- 
sequent section on business issues. 
You'll learn how to provide — and 
maybe even strengthen — IT security 
during a merger or acquisition. Plus, 
former CIO Doug Lewis provides a 
brilliant (and politically savvy) way 
to sell security to the chief financial 
officer and get the budget you need 
for a prudent level of security. 

Prudent is the key word there. It 
implies trade-offs — the trade-off be- 
tween absolute security and afford- 
ability. “There is no single correct 
level of security,” Bruce Schneier says 
in Beyond Fear. “How much security 
you have depends on what you're 
willing to give up in order to get it.” 

In the future, Parker says, “The mo- 
tives and desire for prudent security 
must come from the business man- 


agers, not the security advisers.” 
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TECHNOLOGY 


Improvements in video e-mail technology 
have translated into its adoption by large 
companies. BY KATHY CHIN LEONG 


JOE BIANCO HAS HIS WAY, 
movie star Russell Crowe | 
will soon be firing off video | 
e-mails to his fans thanking | 
them for their support. Perhaps the 
actor/singer will embed clips of his lat- 
est recording session along with a per- 
sonal note of appreciation. It’s possible. 

Bianco, CEO of New York-based 
Sheridan Square Entertainment, is so 
convinced that video e-mail technol- 
ogy is the wave of the future, he has 
inked a contract with provider First 
Stream in Irvine, Calif., to outfit his 100 | 
employees with the service. And Sheri- | 
dan Square, which owns Crowe’s label, 
Artemis Records, will be offering its 
musicians the opportunity to send 
video e-mails to admirers. 

“There are two reasons why we are 
very excited about video e-mail,” says | 
Bianco. “First, we will be using this for | 
corporate interoffice communica- 
tions.” With offices in four U.S. cities, 
using video e-mail will cut down flying | 
time substantially, he says. “Second, | 

our artists can maintain connec- 
tions with their fans. I antici- 
pate that a heavy metal artist 
will send a message that will 
look very different than a 
folk singer’s.” 
Once dismissed as a gim- 
mick, video e-mail is beginning | 
to make inroads into business 
communication. As the technology | 
has been refined and costs have been 
reduced, name-brand corporations have | 
begun to give video e-mail a try. 


EARLY DAYS 
In the mid-1990s — the early days of 
video e-mail — the iechnology was 
interesting but rough around the 
edges. PCs had to be beefed up with 
high-end graphics cards, megabytes 
of memory and special camera gear. 
High-speed transmission lines were 
scarce. Not only was it expensive, but 
it also was kludgy. 

“Back then, video over Internet 
looked more like a series of fast pho- 





tographs,” says Paul Braun, president 
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of New York-based VIDISolutions. 
“Compression was not so good. Big, 
bulky files came very, very slowly.” 

Faces looked pasty; voices failed to 
sync with moving lips. Full-motion 
video via the Web reminded users of a 
bad Japanese movie with poor dub- 
bing. But video streaming arrived in 
the late 1990s, permitting users to view 
footage without hogging disk space. In 
video streaming, full-motion images 
flow through the recipient’s computer, 
but the video data resides on the pro- 
vider’s server, not the user’s. 


FINDING A HOME 


Video e-mail is no longer an orphan 
technology. Organizations such as 

the Miami Dolphins football team, 
DaimlerChrysler AG and Eli Lilly 
Corp. are relying on video e-mails for 
ad campaigns, internal announcements 
and market surveys. These businesses 
are also using the technology for sales 
training, public relations, customer up- 
dates and product releases. 

Ease of use is key to the growing 
market for video e-mail. First Stream 
recently announced First Stream Mail 
4.0, which can deliver messages via 
any player platform, be it Java, Quick- 
Time, Flash or Microsoft Media Player. 
The viewing window in the new re- 
lease has been enlarged to 3-by-2 in. 
and can be expanded to a full screen 
with a single click. 

With First Stream, video message 
senders attach a camera such as Logi- 
tech’s QuickCam for Notebooks Pro or 
link an off-the-shelf camcorder to the 
PC. Next, they activate the video e-mail 
service and hit the Record button on 
the screen. After recording, they can 
embellish the message with text and 
graphics. Most services operate in a 
similar fashion, each with variations in 
multimedia platform, maximum video 
length and window size. Users gener- 
ally pay an installation fee and are 
charged a monthly or annual subscrip- 
tion fee, which can range from $9.95 to 
$100 per seat per month. 

Some companies are cutting costs 
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with video e-mail. Focus group firm 
BIGresearch LLC uses video e-mail and 
PC-to-PC videoconferencing technolo- 
gy to gather consumer data. Instead of 
renting rooms to host focus groups, for 
the past two years the Worthington, 
Ohio-based firm has been airing live 
videoconferences to targeted individu- 
als, who share their opinions remotely 
via PC. For test panels of 2,000 or 
more, BIGresearch uses technology 
from SOS Video Communications in 
Columbus, Ohio. Panel participants log 
onto their video e-mail, view the clip of 
the product and key in responses. 

Phil Rist, vice president of strategic 
initiatives at BIGresearch, notes that 
savings are vast for his clients, which 
include Victoria’s Secret, S.C. Johnson 
& Son Inc. and Wal-Mart Stores Inc. 

The technology has also proved 
powerful in business-to-business appli- 
cations, says Rist. After it conducts a 
survey, BIGresearch tapes an actor 
reading a summary of the results. The 
footage is then condensed into a video 
e-mail that’s sent to the client. 

“Some people are not into reading 
charts and numbers,” says Rist. “A 
video presentation makes it so much 
easier.” A soap manufacturer, for ex- 
ample, can forward that same video 
e-mail to a department store buyer 
so he also can understand consumer 
preferences, he says. 

Meanwhile, acceptance is growing 
on the receiving end of the technology. 
According to a new study conducted by 
Osterman Research Inc., more than 
50% of corporate users surveyed said 
they would view a video e-mail if it was 
sent by someone they knew. Over 38% 
said they would view video e-mails 
from people they do business with. 

“Firms using video mail as a pull 
versus a push technology will gain 
user confidence,” says Michael Oster- 
man, president of Osterman Research 
in Black Diamond, Wash. For instance, 
he says, if a customer has a question 
about a product and e-mails the ven- 
dor, that vendor can provide an en- 
hanced service by responding with a 
personalized video greeting. 

That is exactly what Chrysler Group 
sales representative Chris Hanson did 
when he responded to a woman inter- 
ested in a Chrysler 300 vehicle. Han- 
son, based in Hibbing, Minnesota, 
replied to her questions via video 
e-mail and told her that the car she 
wanted was in the showroom. That 
same day, she drove three hours to 
purchase the car. 

“Adding a face to the e-mail adds a 
new dimension to your selling,” said 
Hanson. After the transaction, he 


_ TECHNOLOGY — 


A MOTHER who has just lost her 
son in the recent tsunami in Sri 
Lanka wails into the lenses of 
rolling cameras. In another 
scene, in hushed tones, a little 
girl explains, “Mother went to the 
shore and didn’t come back.” 

These images from relief or- 
ganization World Vision Interna- 
tional in Federal Way, Wash., 
were part of a minimovie shot in 
Southeast Asia within days of 
the December tsunami disaster 
there and sent as a video e-mail 
to a half-million subscribers and 
donors thanking them for their 
support. 

Called the Asia Tsunami Video 
Update, the three-minute round- 
up of the organization's rescue 
and support operations in Sri 
Lanka, India and Thailand 
showed original footage of the 
waves, the victims and the after- 
math of the disaster. 

The day the tsunami hit, 
many of the 3,700 relief workers 
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World Vision 
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already in the affected regions 
mobilized into teams to offer 
shelter, food and clothing. Some 
were already armed with video 
cameras and filmed for hours. 
One cameraman was sent from 
the organization's headquarters 
to help with the shooting. 
According to Brad Cooper, 
World Vision's division director 
of Internet development, once 
the footage was transmitted 
electronically, video editors and 


producers on the creative con- 
tent team worked around the 
clock to select precisely the right 
clips that would communicate 
what the workers were doing. 
Working with New York-based 
e-mail vendor Bigfoot Interactive 
Inc. and Irvine, Calif.-based Vital- 
Stream Inc. for streaming video 
technology, the organization 
transmitted a series of messages 
to donors within three days of 
the disaster. 


www.computerworld.com 


The clips were uploaded into 
servers, digitized and then trans- 
mitted, says Cooper. Using 
Macromedia Flash and Microsoft 
Windows Media formats, home 
users saw what relief workers 
had encountered. 

Designed as a thank-you let- 
ter, the video was so effective 
that recipients continued to give 
donations online, says Cooper. 
To date, contributions to World 
Vision have topped $250 million 
worldwide. 

“The feedback we got from 
this was great,” Cooper says. 
“Video reinforced what our peo- 
ple were doing in the field.” Ac- 
cording to Cooper, five times 
as many people viewed the 
video e-mail than the messages 
that had only text content. 

“There was just no better way 
to understand the impact of the 
devastation than with video,” 
says Cooper. 

- Kathy Chin Leong 





zipped off a follow-up video message 
thanking her for her business. “Cus- 
tomers can get the same information 
from other dealerships, but if you have 
a decent personality and can portray 
that in your e-mail, the customer will 
connect with you,” he says. 


EARLY ADOPTERS 


Some executives deem video e-mail a 
timesaver compared with hunting and 
pecking at the keyboard. “I’m the slow- 
est typist in the world,” says Sheridan 
Square’s Bianco. “My secretary used to 
type out my long e-mails, but now I 
create a video e-mail and communicat- 
ing is so much faster.” 

But many of today’s adopters say the 
technology proves its worth in attract- 
ing business while maintaining core 
relationships. Last fall, Authoria Inc., 

a Waltham, Mass.-based human re- 
sources software company, issued 
video e-mail created by Productorials 
Corp. in Boston to investors, analysts 
and reporters to announce that it was 
acquiring a key competitor. 

Todd Chambers, Authoria’s vice 
president of marketing, said the feed- 
back was overwhelming. “It not only 
delivered the message in a unique way, 
it set a tone for our company,” he says. 





“We wanted to show how forward- 
thinking we are in both what we do 
and how we communicate to the out- 
side world.” 

Chambers notes that after the re- 
lease, bankers who were forwarded the 
video e-mail called to find out how 
they could invest in the company. 
“There is no question we will be doing 
more campaigns like this,” he says. 

Since video e-mail is a relatively new 
phenomenon, it is a strategic public- 
relations weapon that can generate 
buzz. When VIDISolutions partnered 
with the American Red Cross, America 
Online Inc. and Hewlett-Packard Co. to 
launch Project Video Connect in 2003, 
a free program that allows military 
families to send video e-mails to 
armed services personnel in the Mid- 
dle East, more than 70 media outlets 
covered the news. 

Sometime this year, video e-mail will 
be viewable on cell phones. According 
to VIDISolutions’ Braun, a user of the 
company’s VIDITalk technology will 
soon be able to transmit video e-mail 
to cell phones bundled with Windows 
Media Player. Likewise, companies 
transmitting messages with Destiny 
Media Technologies Inc.’s Clipstream 
technology will be able to send video 


e-mail to Java-supported cell phones. 

Soon users will be able to talk back 
to the sender of their video e-mails, 
according to Jarrod Erwin, vice presi- 
dent of strategic development at 
VoiceTech Communications Corp. in 
Houston. His company’s voiceNow 
video e-mail service will be equipped 
with a new CRM feature: Recipients 
with a microphone-equipped PC 
will be able to automatically dial and 
talk back to the sender with a single 
mouse click. 

What will it take for the video e-mail 
market to take off? There are still ob- 
stacles to overcome. No vendor’s ser- 
vice is perfect. Video-streamed images 
| don’t always work over dial-up lines, 
and even businesses using DSL may 
find that video clips sputter. 

But Braun asserts that the accep- 
tance of broadband and the prolifera- 
tion of Web cameras is setting the 
stage. “Companies will soon see that 
video mail will become just as impor- 
tant as text e-mail and voice mail,” he 
says. “There will be room for all three. 
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Leong is a freelance writer in Los Ange- 
les. You can reach her at kchinleong@ 
| sbceglobal.net. 
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EMC® CLARiiON® CHANGES THE WAY YOU THINK ABOUT STORAGE. Your information 
and applications will be there when you get back. But some of the hassles of managing 

them will be gone forever. The CLARiiON CX series makes your online information 

safer and gives you simple, powerful management software. Network flexibility 

for SAN or NAS. Scalable solutions starting below $5,999. To learn more, visit 
www.EMC.com/backup. Or call 1-866-464-7381. 
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MetricStream Adds 
Sarb-Ox Support 


® MetricStream Inc. has extend- 
ed functionality to its software 
compliance suite with support for 
Section 404 of the Sarbanes- 
Oxley Act. The new features are 
intended to help companies 
demonstrate the internal controls 
they have in place for financial re- 
porting, according to the Red- 
wood Shores, Calif.-based com- 
pany. Among the key modules in 
the suite is MetricStream Moni- 
tor, a tool that provides visibility 
into ongoing compliance efforts 
through role-based dashboards 
and scorecards. The J2EE-based 
software can run on any version 
of Unix, Windows NT or Linux, 
and it supports Oracle databases. 
Pricing is based on the number of 
users and starts at $200,000. 


Metadot Offers 
Subscription Option 
® Metadot Corp. in Austin is now 
selling its open-source portal 
server on a subscription basis, 
with various levels of customer 
support and maintenance. The 
new Metadot Portal Server Busi- 
ness Edition lets users create and 
maintain extranets, intranets and 
corporate Web sites, as well as 
project and community portals, 
the company said. The applica- 
tion is browser-based and runs 
on Linux, Solaris, Windows and 
OS X. Pricing starts at $2,000 
per year. 


NetSuite Releases 
NetFlex Tool Set 


® Hosted business applications 
provider NetSuite Inc. in San Ma- 
teo, Calif., last week announced 
that it is offering a new Web 
services-based technology plat- 
form called NetFlex. The product 
delivers a tool set that lets users 
customize or craft their own ap- 
plications within the NetSuite 
framework and integrate those 
applications with other applica- 
tions, the company said. NetFlex 
is available now at no extra 
charge to NetSuite users. 
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Drownin 
Unstructure 


HE YEAR WAS 1989. A rather disorganized 
co-worker of mine had begun running a 
personal information manager and Lotus 
Magellan, a newfangled “disk navigation 
system” that combined fast search with a 


file viewer window. In his 
case, the programs didn’t al- 
ways help. His excitement at 
showing off how quickly he 
could find some arcane bit 
of information often faded 
into a plaintive, “Wait, uh, uh, 
it’s in here somewhere .. .” 

His plea became an inside 
joke around the office, a 
mantra to be recited around 
the coffee machine. The 
best approach, I thought, 
was to organize or add 
structure to documents as 
they came into the system. If you didn’t | 
spend time upfront to organize your 
data, what could you expect but chaos? 
Garbage in equals garbage out. 

I’m not laughing anymore. Sixteen 
years later, the trickle of data on that 
original multimegabyte desktop hard 
drive has become a multigigabyte tor- 
rent, with much of that content linked 
to other documents on the company’s 
LAN, Web site and e-mail server, and 
the World Wide Web. Today, there is 
simply too much information to parse; 
the orderly processes I used to consci- 
entiously tag, arrange and otherwise 
transform incoming data simply take 
too long. I am drowning in a sea of un- 
structured information. 

Ironically, Magellan turns out to have 
been the harbinger of today’s desktop 
search tools, which have come to my 
rescue. Programs Copernic and X1 
Desktop Search (the latter, a descen- 
dant of Magellan, is the one I prefer) 
combine a full-text index of documents, 
e-mail messages and other content with 
a file preview pane, enabling the user 
to almost instantly locate and display 





desired information. Support for docu- 


ment type filters and 
Boolean notation allows 
fine-grained searches. Fur- 
ther, users can usually act 
on the file within the con- 
text of the application that 
created it. For example, 
within XI], an e-mail mes- 
sage in the search results 
window can be forwarded 
by clicking a button. 
Desktop search tools are 
creeping onto corporate 
desktops, both because 
many are free and because 
the productivity benefits are potentially 


| large for users with significant amounts 
| of locally stored content. For IT organi- 


zations that want to support desktop 


| search, however, the issues are a bit 
| more complicated than simply adding a 


preferred desktop search engine to the 
standard system image. 

For example, users can point desktop 
search tools at shared volumes on the 
network, including public folders, cre- 
ating unexpected disk I/O and network 


| traffic loads. Also, most products aren’t 


smart enough to deal with shared stor- 
age when laptops are disconnected. In- 
dexed content may be unindexed when 
users are on the road, only to be rein- 
dexed once again when the user returns. 

Security policies also need to be set 
to determine who can index and view 
which files. And as a security vulnera- 
bility in Google’s tool made clear last 
year [QuickLink 51557], the products are 
still evolving. 

Ultimately, however, users don’t need 
a desktop search tool. What they need 
— and what IT should deliver — is an 
integrated system that allows searches 
of local, enterprise and Web-based con- 
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in 
Data 


tent from within a single, seamless 
user interface. Right now, that’s still a 
tall order. 

First-generation enterprise search 
tools from desktop search vendors in- 
clude a second, network-based search 
engine that sits on the corporate LAN 
and indexes shared folders and intranet 
content. A user’s ability to view or 


| search selected content is governed 


by policies and permissions the admin- 
istrator has set using LDAP or Active 
Directory. 

Coveo Solutions Inc. offers an enter- 
prise search complement to its Coper- 
nic desktop search tool. However, users 
still must use a different interface for 
each resource. X1 Technologies Inc. is 
readying a similar tool for release this 


| spring that it says will include a unified 


user interface. X1, which has partnered 
with Yahoo to give away a consumer 

version of X1 Desktop Search, could be 
among the first to deliver access to the 


| search trinity of desktop, enterprise 


and Web content from within a single 
graphical user interface. 

Desktop search vendors are also 
moving quickly beyond e-mail to sup- 
port content management software. 
Coveo is rolling out a version of its 
product for Microsoft’s SharePoint; X1 
has similar plans. Meanwhile, estab- 
lished enterprise search vendors such 
as Autonomy Corp. have launched their 
own products for the desktop market. If 
you use enterprise search already, your 
vendor is probably the first place to 
look for desktop search. 

But do get started. Although the 
products aren’t perfect, the productivi- 
ty benefits of desktop search are too ir- 
resistible for users to ignore. If you 
don’t start establishing a corporate IT 
standard for desktop search soon, you 
may find that your users have done it 


for you. @ 53169 


WANT OUR OPINION? 


For more columns and links to our archives, go to 
www.computerworld.com/opinions 








Squan 


der @i-ya Save 


sé 


¢ 


DB2. ONLY THE PERFORMANCE IS HIGH. 


advantage of our « 
Visit ibm.com/db2/swar 


oO DEMAND BUSINESS 





How Japan helps Cisco Systems 
spin a stronger web. 


No wonder Cisco Systems, the preeminent 
player paving the information superhighway, just 
opened an R&D center in Tokyo. With broadband 
access accelerating and traffic five times heavier 
on many ISP networks than that carried by U.S. 
providers, Japan is where the future of global 
Internet growth is already happening. 
Not only has a government-led “e-Japan” initiative 
successfully incentivized rapid broadband deployment— 
Japan, as one of most sophisticated broadband markets, 
J is set to generate many of the world’s best new business 
models. Technologies perfected here satisfy the most rigorous 
standards, so they offer another huge payoff: they promise to be 
powerful enough to serve any other part of the planet. 
So start spinning the web to capitalize on the biggest market in the 
fastest-evolving economic region on Earth. 
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JETRO The Japan External Trade Organization (JETRO) is a Japanese government-funded organization that promotes trade and foreign direct investment in Japan. 
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Here's a crash course 
for r your business 
sponsor in what he 
needs to know about 
your Il project 

By ae H. Hugos 
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Business executives 
who sponsor system de- 
velopment projects need 
a way to assess them as 
they move through the define, design and build 
sequence. This checklist can be used to assess 


any iT development project, and it will reveal 
quite ciearly whether things are going well. 





ie Sacaoe two to six weeks of the project — the dale 
phase — ask yourself and the system builder in charge 
of the project the following questions: 


What is the business goal of the project? In two 

sentences or less, state the action the company is going 
to take and the desired result of that action. This is the 
goal. It is the target, the destination the project is sup- 
posed to reach. Figure out what it is, or stop the project. 


Which performance criteria is the system sup- 
posed to meet? State requirements the system will 
meet in four areas: 


1 Business operations 
2 Customer expectations 
3 Financial performance 
4 Company learning and improvement 
These are the specific measures that will deter- 
mine whether the system will be a success. Make 


sure that you and the people designing and building 
the system know what they are. 
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Do you believe that a system that meets the pre- 
ceding performance requirements will accom- 
plish the business goal you are striving for? If you 
have a feeling that important performance require- 
ments have been left out, add them before the project 
gets any further along, but make sure that you add 
only requirements that are strictly necessary to ac- 
complish the business goal. Requirements that are too 
broad will result in increased system complexity and 
less chance that the system can be successfully built. 
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Your Chance! 


COMPUTERWORLD 
Nominate an outstanding IT 


leader for Computerworld’s 
Premier 100 IT Leaders 
IT LEADERS 2006 ©2006 Awards program 


EACH YEAR, Computerworld editors conduct a nationwide search for 
IT managers and executives who show technology leadership in their O 9 
organizations. This prestigious awards program recognizes and honors Who Qualifies 4 
IT professionals from a wide range of industries, drawing attention to the 

innovative, business-critical 


work they do. IT manager and 


ELIGIBLE NOMINEES include 

CIOs, CTOs, vice presidents, s aes and 
IT directors and managers ee: 

from user companies, nonprof- 

its, the computer industry and 


the public sector. problems: oes 


HONOREES will be announced 
in Computerworld’s Dec. 12, 
2005, issue and will be our 
guests at the 7th Annual 
Premier 100 IT Leaders 
Conference, March 5-7, 

2006, in Palm Desert, Calif. 


Deadline for Nominations Is May 31 


Go online to nominate an IT leader at computerworld.com/p100nominations or @ QuickLink a3420. 
Questions? Contact us by e-mail at premier100@computerworld.com. 
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Which existing computer systems in your compa- 
ny does the new system design leverage? The 
new system should leverage the strengths of systems 
and procedures already in place. That way it can focus 
on delivering new capabilities instead of just replac- 
ing something that already exists. If you decide to re- 
place everything and build from a clean slate, you had 
better be prepared for the considerable extra time 
and expense involved and be sure that it’s worth it. 


Does the overall design for the new system break 
down into a set of self-contained subsystems that 
can each operate on its own and provide value? 
Large computer systems are really made up of a 
bunch of smaller subsystems. Your company should 
be able to build each subsystem independently of the 
others. That way, if one subsystem runs into prob- 
lems, work on the others can still proceed. As sub- 
systems are completed, they should be put into pro- 
duction as soon as possible to begin paying back the 
expense of building them. If all subsystems must be 
complete before any can be put to use, that’s a very 
risky, all-or-nothing system design. Change it. 


How accurate is the cost-benefit analysis for the 
new system? Have the business benefits been 
overstated? Would the project still be worth doing 
if the business benefits were only half of those 
predicted? Cost-benefit calculations usually under- 
state costs and overstate benefits. You are the one 
who is best able to judge the validity of the calcula- 
tions. Do you believe they are accurate? The bigger 
and riskier the project, the greater the benefits must 
be to justify the risks and expense. Don’t spend more 
on a system than it’s worth. 


How has the system builder demonstrated that 
his system design and project leadership skills 
are appropriate to the demands of the project? If 
you don’t have a qualified system builder in charge, 


trategic Guidelines 
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‘Tactical Principles 


the project will fail from lack of direction. Manage- 
ment by committee won't work. If this person lacks 
the necessary design and leadership skills, he must be 
replaced, no matter what other skills he may possess. 


| Which of the strategic guidelines have been fol- 


lowed, and which have not? If all seven of the stra- 
tegic guidelines are followed (see box, below left), the 
design of the system is very good. It’s acceptable if 


| one of the guidelines — except the first one — isn’t 


followed. If two aren’t followed, there had better be 
very good reasons. In that case, determine which ex- 
tra precautions will be taken to compensate for the in- 
creased risk. If more than two of the guidelines aren’t 
followed, the design is fatally flawed. The system can’t 
be built on time or on budget, if it can be built at all. 


eeeeeees es 


PROGRESS MADE 
DEVELOPING THE SYSTEM 
As the project moves through the design and build 
phases, ask yourself, the system builder and the project 
teams the following questions: 


Are the project plan and budget in place? Do peo- 
ple pay attention to the plan? Is there a project 
office group that provides regular and accurate 
updates to the plan and the budget? Multimillion- 
dollar system development projects involve a lot of 
people and stretch across some period of time. The 
project plan is the central coordinating instrument that 
tells every person exactly what he’s supposed to be do- 
ing at any given time. If the plan isn’t kept current, the 
people on the project have no way to effectively coor- 
dinate their work. The system builder will lose track of 
the details. Delays, cost overruns and confusion will 
result. People won’t know how much has been spent to 
date or how much more is required to finish. When 
this happens, the project goes into a death spiral. 
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Are the subsystem teams organizing their work 
into clearly defined design and build phases? 
Are these phases getting done on time and on 
budget? The project team working on each sub- 
system should spend one to three months creating 
a detailed design and system prototype (design 
phase). The detailed design should then be turned 
into a working system within two to six months 
(build phase). If things take longer than this, the 
project is moving too slowly and it will lose 
momentum and drift. It’s the system builder’s 
responsibility to keep things organized and moving. 
Make sure this person is capable. 


How are the six tactical principals for running 
projects being applied (see box, left)? Do you 
believe the answers you hear? Can the system 
builder explain this clearly, using plain language, 
or does he resort to the use of jargon? A qualified 
person can give you straight answers. The system 
builder is, in effect, the general contractor running 
the job. He can make or break the project. Get a new 
one if you need to. 


What’s the situation this week? Spot-check the 
project plan and budget from time to time. Have the 
system builder review the current project plan with 


| you, show you the money spent to date on each sub- 

| system, and the estimate for remaining time and bud- 
get to complete each subsystem. Do you believe what 
| you hear? Can the system builder explain the situation 


clearly, without tech talk? How does the most recent 


| estimate of time and budget compare to original esti- 


mates? Is it still worth the cost to complete the project? 


i ON 


OF PEOP! HE PROJ 


| Ask the following questions of yourself, the system 


builder and the project teams: 


| What are the design specifications? As each proj- 


ect team completes its design phase, ask them to 
show you the design specifications, the process flow 
diagrams, the logical data model for their subsystem, 
the user interface, the technical architecture dia- 
grams and the system prototype. Can they tell you 
how this system will deliver the business benefits in 
the cost-benefit analysis? Do the design specifica- 


| tions make any sense? Do the people on the team 


know what they’re talking about? 


Are the project team members as confident as the 
project team leaders? Are the team leaders as 
confident as the system builder? If people believe 


| they have the right skills and a good system design, 


they will be confident in their ability to build the sys- 
tem. If people at every level don’t share and reflect 
this confidence, there’s a problem somewhere. If peo- 
ple are trying to transfer onto the project, that demon- 
strates confidence. If people are transferring off the 
project or leaving the company, that indicates lack of 
confidence. Expect the project to fail. @ 52996 





Adapted with permission from Building the Real-Time 
Enterprise: An Executive Briefing, by Michael H. Hugos 
(John Wiley & Sons Inc., 2005). 
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Content 
Management 


@ April 11-13, San Francisco 
Sponsor: The Gilbane Report 

The Gilbane Conference on Content 
Management Technologies includes 
tracks on content management, enter- 
prise search and knowledge manage- 
ment, content technology, document 
and records management, and enter- 
prise information integration. It also 
features keynotes, case studies and 
best practices. www.gilbane.com/ 
conferences/overview.html 


Strategic Alliances 


@ April 14-15, New York 

Sponsor: The Conference Board Inc. 
Topics at the Strategic Alliances Con- 
ference include using alliances to fuel 
innovation and growth, introducing in- 
novation through alliances, sourcing 
innovation externally, partnering with 
competitors, forging big-small al- 
liances, implementing go-to-market 
strategies with partners and deciding 
when to partner. www.conference- 
board.org/conferences 


Business Process 
Outsourcing 


® April 18-19, New York 

Sponsor: IDC 

Achieving Business Transformation 
Through Strategic Business Process 
Outsourcing includes a strategy track 
with presentations on specific function- 
al segments of BPO as well as strate- 
gic partnerships, multifunctional en- 
gagements, metrics and global sourc- 
ing. The financial services track ex- 
plores BPO within the insurance, bank- 
ing, collections and payment services 
industries. www.idc.com/events 


IT Symposium 

® May 15-19, San Francisco 
Sponsor: Gartner Inc. 

The Gartner Symposium and ITxpo in- 
cludes tracks on operations manage- 
ment, IT asset management, gover- 
nance and control, application devel- 
opment and integration, business in- 
telligence, the role of the ClO, mobile 
and wireless, compliance, content 
management, CRM and more. 
www.gartner.com/events 





BARBARA GOMOLSKI 


CIO Success: 
Nature or Nurture? 


BET YOU’VE HEARD THIS BEFORE: The CIO 

must “get a seat” at the executive table. Once 

there, he must convince others that IT is strate- 

gic to the organization, thereby securing his own 

destiny. There are a host of other mandates that 
go along with this advice, such as “develop a good rela- 
tionship with business stakeholders.” 


Despite their best at- 
tempts, however, some 
CIOs are never elevated 
(figuratively or literally) 
from the basement of the 
organization. Why is that? 

Recently, I had an inter- 
esting discussion with a 
number of seasoned IT 
managers. We were talking 
about some of the sage ad- 
vice that is often given to 
CIOs, such as the above in- 
structions. Eventually, the 
topic turned to what I 
thought was a good ques- 
tion: How much control does the typi- 
cal CIO really have over his destiny? 

I look at this as a sort of nature vs. 
nurture question. Nature vs. nurture 
has to do with how much of one’s be- 
havior and personality is predeter- 
mined by genetics and how much is 
shaped by environmental factors. Ap- 
plied to the destiny of CIOs, nature vs. 
nurture is a way to look at how much 
of a CIO’s success depends on his per- 
formance and how much is predeter- 
mined by the attitude, culture and 
strategy of the firm in which he works. 

Advice to CIOs (including that given 
in my own column) almost always im- 
plies that the CIO is the master of his 
destiny. All he has to do is be a highly 
competent technologist, become a 
savvy business person and forge suc- 
cessful relationships with other busi- 


1 





ness executives. Then IT 
becomes strategic, and the 
CIO gallops off to success. 

This would be a good 
scenario, but intuition and 
our own experiences tell 
us that this is not always 
the way it happens. 

I have talked with many 
C1Os who have shared 
their frustration about 
some of the roadblocks 
they face in making IT 
strategic and in securing 
their own place in the or- 
ganization. These road- 


blocks often include the following: 


® The CEO or CFO (or both) doesn’t 
think IT is strategic and is unlikely to 
be persuaded that it is. 

@ IT has always been seen as “over- 
head” or a cost center in the company. 

@ The corporate executives don’t 
really understand what IT does, nor 
do they wish to. 

Some will say these are merely cop- 
outs — ways for a CIO to escape his 
own responsibility. Certainly, some 
CIOs use statements like these to ex- 
cuse their failure. 

But I think that some CIOs face real 
roadblocks that virtually nobody could 
overcome. For example, if the CEO is 
convinced that IT is merely a utility — 
or worse, a necessary evil — how like- 
ly is it that even a good CIO can con- 
vince him otherwise? 








I suspect that the majority of CIOs 
and IT managers — even those facing 
some of the major challenges previ- 
ously discussed — can still impact 
their destiny. But a smaller percentage 


| (perhaps 20%) may work in organiza- 


tions where the attitude toward IT 
makes it almost impossible for IT to 
ever be seen as strategic. 

As an IT professional and potential 
or current CIO, you need to think 
about this when you look at career op- 
portunities. If you want a seat at the 


| executive table and want to oversee a 


strategic IT group, you'd better make 


| sure that the CEO’s attitude and the 


corporate culture support that ambi- 
tion. Don’t assume that you can 


| change the CEO’s mind. 


Conversely, if you are content to 


| be the keeper of infrastructure and 
| head of an IT utility, find an organiza- 


tion where that vision matches the top 
executive's idea of “great IT.” 
Most of you do have some control 


| over your destiny. You must continue 


to provide reliable and low-cost infra- 
structure services while developing 


| strong relationships with business 
| leaders. You must help the business 
| to understand how it can use IT to 


accomplish its goals. You must deter- 


| mine the staffing mix that will help 


you do all this. 

But for those in the minority, who 
have little or no control over your des- 
tiny, there’s not a whole lot you can do 
except understand the situation you 
face. And you might want to look for 
another job. @ 52995 


Many organizations unwittingly set up the CIO to fail 
Take this CIO success quiz to gauge your chances 
QuickLink 52813 


Want our opinion? For more columns and links to our 
archives, go to ©} www.computerworld.com/opinions 
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IT DIRECTOR 
WEBEX FANATIC 
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No one is more fanatical about secure web meetings than the men and women of IT. Their solution of choice: WebEx. Every 
WebEx meeting application runs on the ultra-secure, highly scalable and proven reliable MediaTone™ network. Unlike other 
web meeting solutions you don’t install MediaTone. You tap into it. Nothing even touches your servers. Low impact. High 
security. And an interface users love. Now you can actually please all of the people all of the time. Secure web meetings 
start at www.webex.com/it 


WebEx, the WebEx logo, the WebEx ball and MediaTone are registered trademarks of WebEx Communications, inc. ©2005 All rights reserved. Terms and conditions apply. 





Who was selected as best in BI? 


Siebel Business 


Best Business 
20 


Siebel Business Analytics received the most prestigious BI award because unlike 
traditional BI vendors, Siebel meets the new business demands of enterprise BI. 
Siebel delivers richer, real-time intelligence for everyone across your enterprise. 
Working seamlessly with your existing systems and data warehouses, Siebel's mission- 
critical BI architecture supports multi-terabytes of data and thousands of users. 
And Siebel's pre-built solutions embed industry-specific best practices that are 


flexible, quickly implemented, and deliver low TCO. 


To learn more, visit www.siebel.com/realware 


SIEBEL. 
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A Good Offense 

Tired of being under attack, 
IT executives like Eric Litt, 
chief information security 
officer at GM, are taking 
preventive steps to head off 
security breaches. 


Supersmart Security 


Fresh from the lab, 


these intelligent security 


systems are designed to 
recognize new threats 
and limit damage. 


OPINION 

Secure the People 
Most companies are 
overlooking their biggest 
security hole — their own 
people, says columnist 


SPECIAL How to builda 


and select 


security organization 
tools that can 


foil internal and external attacks. 


security £ 


SK AN IT EXECUTIVE 

whether he'd prefer a 

proactive security stance over a 

reactive one, and of course the an- 

swer would be yes. For one thing, 

it just sounds better. Plus, it’s not 
much fun being reactive, because it means 
cleaning up messes like thousands of virus- 
infected PCs and explaining the nightmare to 
the boss. 

So this special report is dedicated 
to the notion that it’s better to be 
proactive — a concept that seems 
obvious but is very new in the IT 
security field. You'll learn how to 
buy intrusion-prevention systems, 
build a proactive security organiza- 
tion and bake security into the 
application development process 
at the outset. 

But no security organization can 


Wag 
Beet I 


EDITOR’S NOTE Possibly be 


100% proactive. 
“That would mean that 
you predict every possible 
threat and risk to your orga- 
nization. The fact is that you 
will be surprised and caught off- 
guard from time to time,” says Doug 
Landoll, CEO of IT security consultancy 
Veridyn. In other words, sometimes you'll 
have no choice but to be reactive, 
though ideally you will be able to 
quickly identify and respond to 
those crises, he says. 

So what we're really saying is that 
it’s time to blend some proactive 
techniques into your security mix, 
which is what forward-thinking 
companies like General Motors and 
AT&T are doing. “You just cannot 
sit back any longer and wait for 


Mark Hall. 


your LAN to go down,” says Ed Amoroso, 
chief information security officer at AT&T. 
“You need to be looking at things before they 
become a problem.” @ 52874 
Mitch Betts is executive editor of Computer- 
world. He can be reached at mitch_betts@ 
computerworld.com. 
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“We are in a competitive stalemate with the creators of malware. What we are trying 
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‘Tired of being under attack, companies 
are taking preventive 7 to head off 


security breaches. By Jaikumar Vijayan 


'AGood 


KNOWLEDGE CENTER SECURITY 


RIC LITT, CHIEF information 

security officer at General 

Motors Corp., calls it “man- 

agement by inclusion.” 

Simply put, it’s an informa- 

tion security strategy that reduces 
operational risk by denying network 
access and services to all people and 
processes not previously vetted by the 
company. “If I don’t know you're good, 
I don’t talk to you,” Litt says. 

Litt is one of a growing number of 
security managers who say traditional 
reactive defenses — focused on block- 
ing known threats at the edge of the 
network perimeter — are no longer 
enough. What's needed are more- 
proactive security capabilities that 
emphasize quicker identification and 
resolution of both internal and exter- 
nal threats. 

“You just cannot sit back any longer 
and wait for your LAN to go down or 
for your employees to complain,” says 
Ed Amoroso, CISO at AT&T Corp. 
“You need to be looking at things be- 
fore they become a problem.” 

Several factors are driving this trend 
toward more-strategic security opera- 
tions. Laws such as the Sarbanes-Oxley 
Act have put a greater burden on com- 
panies to demonstrate due diligence 
on matters related to information 
security. Worms, viruses, spyware 
and other types of malicious code are 
getting a lot better at sneaking past 
firewalls, antivirus defenses and intru- 
sion-detection mechanisms. And 
growing wireless use, remote workers 
and the trend toward Web services are 
giving hackers more avenues for 
launching attacks 

Another important fact: The time it 
takes for hackers to exploit software 
holes has been shrinking dramatically, 
giving users very little time to react to 
new threats. The SQL Slammer worm 
of 2003 took eight months to appear 
after the flaw it exploited was first 
publicized. In contrast, last year’s 
MyDoom worm started making the 
rounds in less than four weeks. 

“It’s getting so nasty out there, it’s 
frightening,” Amoroso says. 

To achieve its goal of more-proactive 
security, GM launched a sweeping 


Offense 





www.computerworld.comm 


overhaul of its processes, including the 
manner in which it authenticates users 
and systems, enforces security poli- 
cies, controls access to network ser- 
vices, patches holes, spots intruders 
and responds to incidents. 

It’s a mighty task for a $186 billion 
behemoth with global operations, 
thousands of partners and tens of 
thousands of users. But it’s essential in 
order for GM to stay one step ahead of 
the bad guys, Litt says. 

“We are in a competitive stalemate 
with the creators of malware,” Litt 
says. “What we are trying to do is gain 
back the advantage.” 

Lane Timmons, security systems an- 
alyst at Texas Tech University’s med- 
ical school in Lubbock, says a key to 
this is a better understanding of how 
your company’s networks behave nor- 
mally so you can spot abnormal activi- 
ty more quickly. 

After getting hammered by worms 
and viruses over the past few years, 
the school deployed several tools to 
help it spot and squelch attacks more 
quickly than the “hundreds of man- 
years of effort” that it used to take, 
Timmons says. 

Among those tools is the network 
behavior modeling product QRadar 
from QI] Labs Inc. in Waltham, Mass. 
rhe software analyzes and models typ- 
ical network activity over a set period 
of time and then uses that data as a 
baseline to identify abnormal activity 
that might suggest the presence of 
worms, Trojans, port scans or denial- 
of-service attacks. 

Such behavior modeling has dramat- 
ically improved the university’s ability 
to detect and respond to both internal 
and external intrusions, Timmons 
says. “Our ability to do a real-time 
analysis of our networks has made a 
big difference,” he says. 


Actionable Data 


Integrating and correlating informa- 
tion from multiple security technolo- 
gies is also crucial to enabling a more 
holistic view of the threats and vulner- 
abilities facing a corporate network, 
says Amoroso. 

To this end, AT&T is retiring all of 
its individual Internet-facing firewalls, 
intrusion-detection systems and anti- 
virus tools and is integrating the func- 
tions into its IP backbone layer. The 
company has built a massive security 
event management system, called Au- 
rora, that’s capable of pulling in and 
correlating terabytes of network traffic 
and security data from the IP layer. 

The data analysis allows AT&T to 

Continued on page 38 
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Prep Work 


Being proactive also means ensuring 


that security is built into your applica 
tion software and not bolted on later, 
says Mary Ann Davidson, CISO at Ora 
cle Corp 

Customers should ask vendors ques 
tions about their security practices, 
Questions should in 


“How do you write secure code 


Davidson says 
clude 
Do you train your devel 
opers for that? Do you do 
ethical hacking to test 


your code? How are you 


5 N 
making it easier for your 
customers ure your 
What is the best 


wr locking down 


to sec 
code? 
practice f¢ 
your product?” she says 

What’s crucial at GM, 
says Litt, is “making sure the code 
Si 


get is really secure out of 


that the ve 


testbed for 


ndors are not making us a 
Phat’s be 


urity pre 


their software 


cause a majority of the se¢ 


lems companies are facing today 


Technology vendors are pitching a variety of tools 
and approaches to help companies better pre- 
pare for attacks. Among them are the following: 


INTRUSION-PREVENTION SYSTEMS 
These products, evolved from network intrusion- 
detection systems, help companies block both 
known and unknown attacks. Most products in this 


class work by looking for known virus signatures and 
: Atlanta 


anomalous network behavior that might indicate the 


presence of a worm or virus. See “Erecting Barriers”: 
> 225 built-in rules for detecting and blocking 
: hybrid threats. 


on page 42 for more on intrusion-prevention systems. 


® UnityOne IPS, TippingPoint Technologies 
Inc., Austin (a division of 3Com Corp.) 

WHAT IT DOES: In addition to identifying and 
blocking threats, the tool supports traffic classifi- 


cation and rate-shaping functions for high-priority : 
: updated antivirus software and patches, before 
: letting the devices access a corporate network. 


: ™ Cisco Security Agent, Cisco Systems Inc. 
: WHAT IT DOES: This software combines host 
: intrusion-prevention functions with spyware/ 

: adware protection and host firewall and operating : 
: multiple-point technologies such as firewalls, 


applications. 


Top Layer Networks Inc., 

Westboro, Mass. 

WHAT IT DOES: The ASIC-based hardware 
appliance is designed to deal with content-based 


attacks, such as worms and Trojan horses, as well : 


SNIFF OUT TROUBLE 


© QuickLink a5610 
www.computerworld.com 


: as rate-based attacks, such as distributed denial- 
: of-service attacks. 


® Juniper IDP, Juniper Networks Inc., 
: Sunnyvale, Calif. 


= detection and -prevention tool. 


ENDPOINT SECURITY PRODUCTS 
: These ensure that endpoint devices, such as PCs, = 
> notebooks and handhelds, have appropriate pro- 
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ilso applying the same con 


house. The company has instituted 


‘toll gates” for reviewing security at 
various stages in the product develop 
‘even before the first 


* Litt says 


ment life cycle 
line of code is written 
In the end, however, 
there’s a limit to just how 
proactive you can be, says 
Lloyd Hession, CISO at 
Radianz Inc., a New York 
based provider of tel 
communications services 
nancial Companies 
One of the key 
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t scenario is g¢ 
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ind backup process in 
that there is no “skills 
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YES: It's a rules-based intrusion- 


® Proventia, internet Security Systems Inc., 


WHAT IT DOES: This appliance has more than 


tections in place, including active firewalls and 


system integrity assurance. 


: ®@ Check Point Integrity, Zone Labs LLC, 
: San Francisco (a unit of Check Point Software 
: Technologies Ltd.) 


It combines PC firewall tech- 


: nology with central policy management and poli- 
: cy-based enforcement on endpoint devices. 


™ Secure Enterprise, Sygate Inc.., 
: Fremont, Calif. 


VHAT JES: It combines endpoint agent 


> technology with policy management servers, 
: LAN-based enforcement servers and remediation 
: capabilities. 


= CyberGatekeeper, InfoExpress Inc., 


Mountain View, Calif. 


: WHAT IT DOES: This product suite combines 
: functions for monitoring and enforcing security 
: policies on local and remotely connected 


SECURITY INCIDENT/EVENT 
: MANAGEMENT TECHNOLOGIES 
: This class of products is used by companies to 


gather, consolidate and analyze information from 


f 


nely patching 

r network admin 
Carrollton. Ga 
nd cah 

d cable 


dtohavea 


ind the attackers when the attacks do 
come, he says 

Chere is no silver-bullet technology 
* for ad 


itt 1} 
itt says. Ine 


or singular process change 
iressing this problem, I 
goal should be to “social-engineet 


security Into your processes versus 


putting it in as an afterthought,” he 


says. @ 52584 


> antivirus products and intrusion-detection sys- 

: tems. The goal is to enable better identification 

: and response to key security incidents. For more 
= on this topic, go to: @ QuickLink 52131 


: @ Security Manager, NetiQ Corp., 

= San Jose 

: WHAT IT DOES: It consolidates data from 

> across the enterprise network and combines 

: event correlation, visualization, trending and 

: forensics to help companies get a more holistic 
> picture of their security. 


* ArcSight Inc., Cupertino, Calif. 

: WHAT IT DOES: It correlates events and infor- 

: mation from multiple devices, including asset val- 
: ue and vulnerability data. It also supports auto- 

* mated investigation and resolution of problems. 


: NetForensics Inc., Edison, N.J. 

: WHAT IT DOES: It supports event normalization, 
: threat visualization, reporting and analytics, policy 
> compliance monitoring and incident resolution 

: management. 
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Baked-in 


security 


Catch flaws at the application 
development stage to avoid costly 
breaches. By Heather Havenstein 


T’S A PROBLEM at many organiza- 
tions today: Developers are so nar- 
rowly focused on quickly building 
feature-rich applications that se- 
curity becomes an afterthought. 

The task of securing those applica- 
tions is often left to others — tradition- 
ally, systems administrators who can 
wield firewalls, intrusion-detection 
software and other weapons at the net- 
work perimeter after the applications 
have been deployed. 

“The industry has been treating se- 
curity as a perimeter issue — keep the 
bad guys out [of] the castle, and every- 
thing is fine,” says James Whittacker, 
co-founder of Security Innovation Inc., 
a Boston-based company that provides 
security assessment and testing ser- 
vices. “The bad guys get in, or they are 
already in [because] they are employ- 
ees at our company. The lion’s share of 


| users of the application 





the burden falls on application 
developers to make sure it’s 
not their application that 
is the entry point for a 
breach.” 

Yet few organizations 
have standardized efforts 
to address security inside 
the perimeter, says Ron 

Exler, director of research 

operations at Robert 
Frances Group Inc. in 
Westport, Conn. 


Finding a Fix 
According to research 
firm Gartner Inc., al- 
though many companies 
have made significant in- 
vestments in tools to se- 
cure production applica- 
tions, fixing security flaws 
prior to production can generate 


| significant cost savings. If 50% of vul- 
| nerabilities were removed before pro- 


duction of purchased and internally 
developed software, enterprise con- 
figuration management costs and inci- 


| dent-response costs could be reduced 


by 75% each, Gartner says. 

To do it right, companies need to 
write a business application profile 
and a user application profile as part 


of the development process, says Exler. 


A business application profile details 
what an application does and its vari- 
ous components. A user application 
profile lays out the likely ——— 
and how they will be 
using it. 

“Security definitely 
ties into both the applica- 
tion and the users,” Exler 
says. “As you are devel- 





MAKE VENDORS PAY 


Opinion: Want more-secure 
applications? Then make software 
vendors liable for the holes in their 
products, says Bruce Schneier, CTO 
at Counterpane Internet Security: 
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oping, you need to be cognizant of how 
the application is going to be used and 
| the flow of it.” 
After the profiles are completed, IT 
| security people can be brought in to 
| analyze the security scenarios of these 
| profiles. “You can see the potential 
| weaknesses in the application, in the 
user workflow, and then you can see 
| where you can build protections,” 
Exler says. 
he testing and quality assurance 
| phases also should include a focus on 
| security. An application that doesn’t 
meet security requirements should be 
considered defective, just like an appli- 
cation that has errors or bugs that result 
in performance problems, says Exler. 
But even more important is to 
change the “code and go” mind-set of 
developers. “If security needs to be 
raised in importance in the application 
development process, it should be part 
of the developer’s performance plan, 
just like showing up on time or writing 
code with fewer errors,” Exler explains. 
Finally, companies should also be 
scrutinizing the security practices of 


| their IT vendors. Exler suggests that 
| companies add compliance with secu- 


rity requirements as part of service- 


level agreements. 


| Rigorous Review 


Blue Cross and Blue Shield of Massa- 
chusetts Inc. has already ramped up 
efforts to infuse the company’s appii- 
cation life cycle with preemptive secu- 
rity efforts. 

Beginning with the technical design 
and review phase for new applications, 
the company evaluates for security 
risks and builds steps into the design 


| and documentation that are aimed at 


eliminating potential holes, says Frank 
Enfanto, vice president of operations 
delivery and information security at 
the Boston-based health care organiza- 
tion. For example, it might use domain 
modeling or add permission- or role- 
based access to secure code, he says. 
“We try to ensure we are consistent 
from project to project. That gives us a 
certain level of guidelines for develop- 
ers to use,” Enfanto says. “We also pro- 
vide [developers] with certain coding 


| standards that help mitigate general 
| security risks.” 


Blue Cross conducts negative appli- 
cation testing to try to 
find security flaws that 
could allow unautho- 
rized access to an appli- 
cation once it’s de- 
ployed. The organization 
also scans its applica- 
tions with intrusion- 





Test It 
Or Toss It 


AT PENTAIR INC., a Golden Val- 
ley, Minn.-based water treatment 
and storage product company, 
vendors are required to submit 
their Web application or hosting 
products to be scanned for secu- 
rity vulnerabilities by SP! Dynam- 
ics Inc.'s WebInspect tool. 

“If they don’t allow us to run 
the tool and find the vulnerabili- 
ties, | am not interested in allow- 
ing them to host my data,” says 
Paul Samadani, Pentair's director 
of corporate IT. “We've been able 
to eliminate products or tell them 
they have to go back and fix a 
product that had issues.” 

The tool was designed to 
identify vulnerabilities within 
the Web application level at ail 
phases of the application life 
cycle, including development, 
quality assurance, production 
and auditing. 

For internal development, 
Pentair uses WebInspect to check 
any changes to code or new code 
developed for Web applications. 
In addition, the company has cus- 
tomized the product to ensure 
compliance with internal security 
policies. 

The cost-benefit analysis for 
these tools is similar to that for 
buying perimeter tools, according 
to companies that have made the 
leap to building security protec- 
tion into their applications. 

“You can recover the cost of 
the technology on one mistake 
that you find,” Samadani says. 
“Within seconds, someone will 
find that vulnerability, and you 
won't even know about it until the 
information is gone. The cost if all 
your intellectual property leaks 
out is tremendous.” 

~ Heather Havenstein 


detection technology to identify po- 
tential security holes in the code, but 
those types of tools are immature and 
return a lot of false positives, accord- 
ing to Enfanto. 

“Our approach is not to just tell 
the coders to do this and test it and 
assume we are OK,” Enfanto says. 
“Whatever you are doing in develop- 
ment and design, you are doing it ina 
pristine and clean environment. It is 
not the real world until it is deployed.” 
@ 52583 
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Intrusion-prevention 
systems don’t just 
tell you there may 

be an attack — they 
block it. By Drew Robb 


ecting 
arriers 


HERE ARE TWO APPROACHES to fighting 
viruses: prevention or cure. With net- 
works, you can use an intrusion-detection 
system (IDS) to tell you when there is a 
problem or an intrusion-prevention sys- 
tem (IPS) to block it in the first place. 

The Weather Channel Interactive Inc. in Atlanta, 
for example, picked up suspicious activity via an IDS. 
For several days in a row, it detected a high amount of 
traffic coming in for a specific server port from 1 a.m. 
to 3 a.m. “My concern was that if it was a probing at- 
tack and they were doing it off shift, I had to watch 
out for when they did a real attack during prime shift,” 
says Dan Agronow, vice president of technology. 

This kind of after-the-fact probing is like using a 
thermometer to confirm that you are indeed running 
a fever — much too late to prevent infection. The 
Weather Channel wanted to be able to react quicker 

Continued on page 44 
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Continued from page 42 

and keep up with the latest attack patterns happen- 
ing on the Internet. It installed UnityOne 1200 intru- 
sion-protection appliances from TippingPoint Tech- 
nologies Inc. in Austin. “Now when we get attacked, 
we have the forensic information we need and the 
ability to block it,” says Agronow. 


Block and Tackle 


Intrusion protection is one aspect of a complete 
defense-in-depth strategy. It supplements but doesn’t 
replace other layers already in place. 

“Don’t think that these products are something 
that will eliminate the need for spam filters, personal 
firewalls or whatever else you are using,” says Brian 
Philips, director of security at Network Systems 
Technology Inc. in Naperville, Ill., which provides 
managed networking, storage and security services. 
“IPS is part of a defense-in-depth strategy, not a re- 
placement for what you already have.” 

IPSs address some of the shortcomings that be- 
came apparent as companies deployed IDSs. While 
the latter tell you there may be an attack, the former 
seek to block it. In that sense, an IPS is similar to a 
firewall, but it takes the opposite approach. 

“Firewalls and network IPS, though they appear to 
be very close to each other, are complementary but 
very distinct products,” says Greg Young, an analyst 
at Gartner Inc. “Firewalls block everything except 
what you explicitly allow through; an IPS lets every- 
thing through except what it is told to block.” 

The biggest concern with setting up an IPS is the 
problem of false positives: mislabeling legitimate 
traffic as malicious. Unlike an IDS, which sits off to 
the side and alerts only when it detects a potential 
problem, an IPS sits in-line and actively blocks traf- 
fic. Although vendors have gotten better with their 
identification algorithms, they are far from perfect. 

“False positives are still a huge problem, so much 
so that it severely affects the value proposition of an 
IDS or IPS,” says Paul Stamp, an analyst at Forrester 
Research Inc. “Users are still really fearful that their 
IPS will end up effectively performing a denial-of- 
service attack on their infrastructure.” 

To get around this, most devices are designed for a 
three-phase deployment. Philips describes the steps 


Five Tips for 
Selecting an IPS 


STAN GATEWOOD, chief information security officer 

at the University of Georgia in Athens, uses IPSs both 
at the Internet gateway and at several points in his own 
network. He uses appliances at the gateway scaled 

to process the more than 2Gbit/sec. that pass through 
that point. 

Gatewood won't disclose which model the university 
is using for edge protection, other than to say that it 
comes from either McAfee Inc., TippingPoint or Syman- 
tec Corp. - the three vendors whose products could 
process that much traffic. Internally, however, Gatewood 
needs only 100MB of capacity, so he uses several in- 
stances of Sleuth9 software from DeepNines Inc. in 





State of the Market 


Broadly speaking, there are two types of IPS: 
NETWORK-BASED AND HOST-BASED. A net- 
work IPS is a device that performs a deep in- 
spection of packets as they come through, even 
reassembling them to examine the entire com- 
munication before passing them along. 


There are three types of vendors in this area: 
1. Pure-play IPS vendors, such as TippingPoint. 


2. IDS companies, such as Internet Security 
Systems Inc., which are expanding their func- 
tionality to include blocking. 


3. Firewall makers, such as Check Point Soft- 
ware Technologies and NetScreen Technologies, 
which are adding deep packet-inspection func- 
tions to create “next-generation” firewalls. 

In addition, IPS functions are being added to 
other network devices. For example, Juniper 
Networks Inc. acquired NetScreen last year, and 
3Com Corp. purchased TippingPoint, so you can 
expect to see the added security technologies 
incorporated into the parent firms’ networking 
gear to block suspect traffic. 

A host-based IPS, on the other hand, is soft- 
ware rather than an appliance and comes from 
different vendors. Gartner analyst Greg Young 
says host-based intrusion prevention for servers is 
a mature technology, but he advises companies to 
hold off for now on deploying it on the desktop. 

~ Drew Robb 


he took to set up a Sensitivist 500 IPS from NFR Se- 
curity Inc. in Rockville, Md., for the Multiple Listing 
Service that Florida real estate agents use to share 
property information. It took 10 minutes to install the 
equipment and load some IP addresses for reporting. 
The box then operated in bypass mode, which means 
it didn’t block anything. 

“We started by having it stop nothing, tag every- 
thing and then start turning stuff on,” he says. 

Tuning took place over tlic next eight hours. Dur- 


Dallas on a Sun Microsystems Solaris platform. 
Gatewood offers the following five criteria he used to 
decide which systems to install: 


PERFORMANCE. Since an IPS runs in-line, it must 

be able to analyze all the packets passing through it 
without overloading. “We needed to make sure that it 
would stand up to our bandwidth and not disrupt network 
operations,” he says. “You will find that a lot of vendors 
will fall off once you start talking about traffic in the gigabit 
range. 


BLOCKING ALGORITHMS. The systems need to use 
multiple algorithms - signatures, behavior and policies 
~ to block malicious actions. 


ANALYTICS. It must have some intelligence built in 
to tell the difference between a normal event and 
an attack. 
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ing the second phase, the IPS still didn’t block any- 
thing, but it generated reports of what it would have 
blocked. Philips then reviewed this data and decided 
whether he wanted the IPS to block that type of traf- 
fic. The third step was to activate the IPS, using the 
rules Philips had established. He then scheduled two 
other follow-up sessions to further tune the blocking. 
Young suggests, however, that one way to avoid 

false positives is to avoid tightening down rules too 


| much. Although this means that some malicious traf- 


fic will get through, this approach still has value. 
“There is incredible value to be gained just from 
blocking the clearly bad stuff,” he says. “Then they 
can learn more about the gray areas and decide what 
else they want to stop.” 


A Step Beyond 


Improved security isn’t the only benefit from in- 
stalling an IPS. Matt Merritt, vice president of opera- 
tions at Beal Service Corp. in Plano, Texas, which 
provides administrative support to other units of 
Beal Financial Corp., installed TippingPoint Unity- 
One 2400 units as part of complying with regulatory 
requirements governing protection of customer in- 
formation. But he also found that it cut down the load 
on the rest of the network. “The overall performance 
on our network has generally improved, due in part to 


| TippingPoint’s traffic normalization feature, which 


filters out bad or malformed packets,” he says. 

The University of Georgia’s chief information se- 
curity officer, Stan Gatewood, reports that putting in 
an IPS allowed him to see what was on the network 
and gain better control. “When we took a look at the 
network, we were shocked at the protocols that were 


} running around out there,” he says. “We can now nar- 


row it down to the standards and protocols we will 
support and block the rest.” 

However, although these added benefits have val- 
ue, the primary advantage is still the ability to block 
threats at the gateway, so the other layers don’t need 
to deal with them. 

“There’s no reason to let Blaster into the network,” 
says Gartner’s Young. @ 52264 





Robb is a Computerworld contributing writer in Los 
Angeles. Contact him at drewrobb@sbcglobal.net. 


REPORTING. “We must be able to quantify the usage 

of the IPS and generate both technical and executive 
reports to show it is indeed working for us,” says Gate- 
wood. 


INTERFACE. It needs to have a graphical user inter- 

face and a low learning curve for the IPS administra- 
tor. “We absolutely need it to be as intuitive as possible so 
we can have it up and running and effective as soon as 
possible,” he says. 

Gartner analyst Greg Young agrees that performance is 
the No. 1 criterion when selecting an IPS, but he cautions 
against making a decision based on a vendor's figures. In- 
stead, a company needs to test in-house to see how it per- 
forms against its actual network traffic. 

“We see customers getting very different results in terms 
of latency, throughput and overall IPS function,” he says. 


- Drew Robb 
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OR SOME TIME, we have 

been losing the battle against 

those who would damage our 

computer systems. That’s be- | 

cause computers are increas- | 

ingly interconnected and the 
software they run is more complex. 
Both factors increase vulnerability to 
infection and intrusion. 

Security measures haven’t kept up 


| 


because they have tended to focus on 
prevention — antivirus software and 
firewalls are all geared toward blocking 
damage, not repairing it. And they are 
not all that good at detection because 
they are generally programmed to rec- 
ognize known threats, not new ones. 

“We've been riding the coattails of 
1970s ideas, and the weaknesses are 
obvious to everybody,” says David Pat- | 
terson, president of the Association for | 
Computing Machinery. “Security prob- 
lems are glaring.” 

But experimental prototypes and a 
few commercial products are begin- 
ning to overcome the limitations of 
these 1970s ideas. Some of them can 
detect malware and intrusions without | 
relying on hard-coded definitions or =| 
known behavior patterns. Others as- 
sume that bad things will happen re- 
gardless and instead attempt to limit 
damage and keep systems running. 


Detection and Prevention 
Sana Security Inc. in San Mateo, Calif., 
sells intrusion-prevention software pat- 
terned after biological immune sys- 
tems. Its Primary Response product 
uses software agents to build a profile 
of an application’s normal behavior 
based on the code paths of a running 
program. It then watches execution of 
the program for deviations from the 
norm. It requires no predetermined 
signatures or policy rules. 

The software stops anomalous be- 
havior by blocking system call execu- 
tions. Because the software continually 
learns, Sana says, it can recognize and 
allow legitimate code changes. That 
enables it to minimize false positives, 
which can be a major drawback of 
these kinds of security tools. 

Sana’s technology has its roots at the 
University of New Mexico, where re- 
searchers have developed something 
of a specialty in “resilient and adaptive 
computing.” For example, they are 
working on Randomized Instruction Set 
Emulation, or RISE, which is based on 
the notion that diversity in code is a 
good thing. The same is true in biology: 
Resistance to disease is greater in wild 
plants, where there is much genetic di- 
versity, than in cultivated ones, where 





there is much more homogeneity. 
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Fresh from the lab, these intelligent security 
systems are designed to recognize new threats 


and limit damage. By Gary H. Anthes 


RISE makes each system unique by 
randomly varying some code so that 
for an attack to spread, it would have 
to be modified for each computer. 
Some machine code is “randomized” 
at the time a process is initiated and 
then “de-randomized” when it is 
fetched for execution. In the mean- 
time, malicious code would find the 
target code unrecognizable. 

But IT managers don’t have to wait 
for RISE to be commercialized to get 
some benefits of diversity, says Patter- 
son, who is also a computer science 
professor at the University of Califor- 





nia, Berkeley. “More than one computer | 
company makes computers, and more 
than one company makes operating 
systems,” he says. “Cost of ownership 
is less when everything is identical, but 
your vulnerability to attack is greater.” 


Recovery Room 

Computer security experts have come 
to recognize that no affordable combi- 
nation of protections can keep a sys- 
tem completely safe all the time. So 
they are focusing on how to make at- 
tacks less damaging while keeping 
systems running, albeit sometimes at 
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reduced levels of performance 

Patterson and others at Berkeley are 
working on recovery-oriented computing 
(ROC), in which systems do fast, almost 
invisible “microreboots” of the code ex- 
periencing some difficulty — a buffer 
overflow, for example — while an appli- 
cation is running. The key to ROC is 
logic that watches running processes, 
senses when something is wrong and 
then triggers the microreboot before 
the whole system crashes. 

Patterson says there is a natural fit 


| between tools for better detection and 


prevention, such as Sana’s Primary 
Response, and tools for surviving an 


| . 
attack, such as ROC. “ROC is trying to 


make recovery fast and inexpensive,” he 
says. “If recovery is expensive and com- 
plicated, then your detection mecha- 
nism needs to be close to perfect.” 

Patterson says his research team had 
an “Aha!” moment while developing 
ROC. “It was that lowering the cost of 
recovery makes it tolerable to have a 
higher false-positive rate.” 

Another way to keep business flow- 
ing is to simply slow an attack so that 
fewer machines are infected before 
countermeasures can be employed. As 
part of its work in resilient infrastruc- 
tures, Hewlett-Packard Co. has devel- 
oped virus-throttling software that permits 
connections from one machine to an- 
other at a slow rate — the way users 
work, say, at one or fewer connections 
per second — but delays or blocks con- 
nections to machines when the requests 
come at a rate of hundreds per second, 
as they do with modern worms. 

The Responsive Input/Output Throttling 
project at the University of New Mex- 
ico is combining different defense 
mechanisms, an approach that mimics 
biological defense mechanisms. It uses 
throttling to limit the rate of connection 
to other computers. But throttling is 
made much more flexible by coupling 
it with agents that learn the normal be- 
haviors of specific combinations of 
users, machines and applications. “You 
turn it on and it learns what the rates 
are for your network behavior,” says 
Matthew Williamson, senior researcher 
at Sana and previously a developer of 


| throttling technology at HP Labs. 


“Throttling opened the door to 
thinking about rates of things instead 
of, ‘Is it allowed or not?’ ” Williamson 
says. “People in security tend to think 
in a binary way.” But security, and its 
cost, are not either/or issues, he says. 

“Costs can be significantly reduced 
by having systems that are resilient, and 
they don’t have to work perfectly,” he 
says. “You get quite a lot of value out of 
80% security.” @ 52263 
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1. Buyer downloads competitive pricing. 
2. Manager securely retrieves invoices. 

3. Driver obtains specific delivery details. 
4. Ex-vendor denied access to intranet. 

5. Customer's identity protected from theft. 
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Top Five Vendors 


The biggest vendors of IT security software 
worldwide, by 2004 revenue: 


EE symantec corp. 


£2 McAfee Inc. 


Computer Associates 
International Inc. 


Check Point Software 
Technologies Ltd. 
FEY trend Micro inc. 


FRAMINGHAM, MAS 


Security Software 


Worldwide new-license revenue for 
security software of all types: 


$5.8B 
5B an 


* Figures for 2005 and 2006 are projected 


JRCE: GARTNER INC., STAMFORD, CONN 
FEBRUARY 2005 


Top Barriers to 
IT Security 


BEB Limited budget 
2 Limited staff dedicated to security 


Limited or no time to focus 
on security 


Limited or no security 
training/awareness 


FEB complex technology infrastructure 
ra Limited support from executives 


Base: 8,000 senior IT executives in 62 countries 


SOURCES: PRICEWATERHOUSECOOPERS, NEW YORK, AND 
10 MAGAZINE, FRAMINGHAM. MASS., SEPTEMBER 2004 
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MARK HALL 


Secure the 
People 


hen you and your company’s chief security officer sit down to plot the 
budget for protecting the corporate WANs and LANs, servers and desk- 
tops, laptops and other mobile devices, there’s a lot to discuss. Should you 
invest in better firewalls or intrusion-prevention systems? Additional anti- 
virus technologies? Maybe some fancy new endpoint security software? 


Or maybe, just maybe, you ought to invest the lion’s 
share of your IT security budget in the single biggest and 
most glaring security hole in your entire organization: 
your end users. If you did that, you'd be protecting your 
pricey IT infrastructure and the priceless information it 
contains better than all the other technology combined. 

The Ernst & Young Global Information Security Sur- 
vey last year revealed that end-user security training 
was the No. 1 problem inside large organizations. Yet 
less than half of the respondents said their companies 
had a formal training program to meet that threat. 

How stupid is that? 

Most companies feel that they’ve trained 
workers if they’ve sent them an e-mail with 
a list of do’s and don’ts. Some include a 
five-minute bit of slideware as part of new- 
employee orientation. Neither approach is 
worth much. You might as well tell work- 
ers, “We just don’t care that much about IT 
security. Do whatever you want.” 

Martin Bean, chief operating officer at 
New Horizons Computer Learning Centers, 
says companies “only pay lip service” to 
end-user security training. And, he adds, 
when he talks to the boards of directors at 
major companies about securing their IT 
infrastructures, “the toughest part of the 
conversation is about the need to retrain every single 
employee” to be secure computer users. 

I know that IT likes to believe that all problems 
created by technology can be solved with more 
technology. In many cases, sad to say, it’s true. But 
not this time. Technology is a small part of the securi- 
ty solution. People are the big part. 

Before workers are given computers and passwords, 
they should be given at least a half-day, if not a full-day, 
tutorial about the ins and outs of secure computing prac- 
tices as defined by your IT department. Dedicating pre- 
cious time and resources to such a learning experience 
tells new workers (and existing ones) that you are very 
serious about IT security procedures. It’s not lip service. 

In those sessions, employees should learn about 
everything from phishing to the proper use of pass- 
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words. What’s more, they ought to be told about the 
consequences of failing to be security-conscious cor- 
porate citizens. 

That’s right: consequences. 

If workers flaunt security procedures, they should 
be punished. Although a network security administra- 
tor might think a firing squad is a worthy punishment, 
it’s unlikely that the HR bigwigs will go along with the 
idea. But they might agree to some well-conceived 
consequences for a person’s documented failures to 
keep your company’s IT assets safe, such as writing 
passwords on Post-it notes and sticking them on moni- 
tors. I think the loss of one day of vacation 
for every security violation after the first 
breach seems fair. And it will get workers’ 
attention. No one likes to lose vacation 
time. Once any employee has lost a week 
of vacation time, the next transgression 
should mean job termination. 

The standard whine from end users 
about, say, complex passwords is, “It’s too 
hard to remember the password. It’s got 
numbers and characters in it.” Of course 
it’s difficult. That’s the point. And, yes, you 
need to write it down. But you can put it in 
a safe place like maybe your waliet. You 
put money and credit cards inside a wallet, 
so presumably you try to keep it safe. You carry a wal- 
let in your pocket or purse. If you think it’s too diffi- 
cult for you to open your wallet, well, maybe a firing 
squad is in order. 

I also think workers should be rewarded for keeping 
a company secure. For example, if the company goes a 
full year without getting infected by a virus, everyone 
gets an extra vacation day in the next calendar year. 

My point here is that there’s far too much emphasis 
placed on technology to solve a problem that’s often 
controlled by individuals. You need to push your com- 
pany from the CEO on down to redirect resources to 
train and retrain employees on their critical responsi- 
bility to maintain the security of your company’s IT 
operations. If they’re not involved, you're fighting a 
losing battle. @ 52486 
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longer an ideal or even a 
fact of life —it’s an 
imperative. Our Diversity 
Outreach initiatives are 
expressly designed to help 
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diverse workforce with the 
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topic as a result of the 
notable series of diversity 
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times a year. 
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nal info technology systems 
using object-oriented technology 
& various s/w dvipmi/testing 
tools; develop, implement & 
integrating database apps using 
various db technologies & data 
comm protocols; provide ongo- 
ing admin & maint on app sys- 
tems & technology environ 
ments. Fax resume to HR Dept 
Financial Computer Services 
Inc, Fairfield NJ, at 973-227: 
8795 


Software Application 
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SQL/PLUS/OOP/C++ 
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Job in Frederick, MD 
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Fax: 301/473 9751 
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today! 
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DBSE ADMIN - Analyze, 
install, & upgrade comp 
databases. Req'd: BS in 
Comp. Eng’g & 5 yrs 
exp. Resumes: Forest 
Laboratories, 500 Com- 
mack Road, Commack, 
NY 11725, Attn: C 
Cantalupo Ref #3 


Software Engineer needed 
w/Masters in MIS or Engg. or 
Comp. Sci. & 1 yr. exp to write 
SQL code to verify the results in 
clienVserver Power Builder 
(front-end) & Sybase environ 
ment. Analyze & design OMS 
application using C++ & Unix 
Perform quality assurance test- 
ing supporting application devel. 
opment of OMS Print System 
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Inc. Job Order #8064582, 6520 
110th St. Suite 205, Overland 
Park, KS 66211. Job location 
Overland Park, KS or unantici 
pated locations in the U.S 
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maintains computer pro- 
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resume to K. Yerganyan 
Designed By Scorpio !nc 
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90065 
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2 yrs exp or 4 yrs as a pro- 
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Technology or equivalent 
F/T. Send resume: Attn: C 
Mizuno, Compex Legal Ser- 
vices, Inc., 325 Maple Ave 
Torrance, CA 90503 
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Required 
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MS in Comp Sci or related 
field & min 2 yrs exp in instal 
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tions & databases. Requires 
exp w/ VBScript/Jscript 
Visual Basic, Java, C++ 
SQL, Oracle, .Net, JAVA 
J2E, HTML, ASP, & trou 
bleshooting software, hard 
ware & operating systems 
Email resume to ZT Group 
Int'l Inc, Secaucus NJ, at 
hr@ztgroup.com or fax to 


(201) 559-1024 


Software Engineer posi- 
tions available to design 
and develop custom 
software applications 
and packages. MS in 
CS or related field 
wiexp. Send resume to 
HR Dept Global 
Computing Services 
Corp., 72 Park Ave. Ste 
6A, Hoboken NJ 
07030 
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based e-comm. prgms 
Req'd: BS in Comp 
Eng'g; 2 yrs. exp.; CGI 
Oracle, & VB, & prior 
exp. with web prgmg 
for e-comm. site. Res- 
umes: Holabird Sports, 
LLC, 9220 Pulaski 
Highway, Baltimore, 
MD 21220 Attn: D. 
Hirshfeld 
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Server applications software & 
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designing messaging systems 
Use .NET, C/Visual C++, SNMP. 
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Fax Cards & SOQL/Oracle data- 
base to analyze & integrate soft- 
ware wiright hardware. Reqs: 2 
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University of Miami has opportu- 
nities available in our informa: 
tion Technology Department 
Systems Analyst 
This opening is for a senior level 
person skilled in the IBM OS, 
390 mainframe environment 
with CA/IDMS, IBM DB2 and 
SQL Stored Procedures. Can 
didate will have experience with 
server-side Java programs 
based on the J2EE platform 
Serviet, JSP, JDBC, EJB, JNDI 
RMI, JCA, JMS, Web Services 
Struts and XML. Should have 
knowledge of IBM WebSphere 
Studio Application Developer 
(WSAD) and Application Server 
(WAS). Advanced knowledge of 
Object Oriented Analysis and 
Design, Mode! Driven Architec 
ture, Service Oriented Architec 
ture and Model Driven Architec 
ture. Advanced knowledge of 
UML and appropriate tool sets 
such as Rational Rose/XDE 
Knowledge of TIBCO messag 
ing products would be desirable 
The individual should have a 
minimum of 9 years technical 
and 2 years supervisory experi- 
ence and a 4 year degree in a 
computer related field. Human 
resource and financial systems 
or university experience would 
be considered a plus 
Sr Systems Analyst 

This opening is for a senior level 
person skilled in the IBM OS, 
390 mainframe environment 
with CA/IDMS, IBM DB2 and 
SQL Stored Procedures. Candi 
date wili have extensive experi- 
ence with server-side Java pro- 
grams based on the J2EE piat 
form, Serviet, JSP, EJB, JOBC 
JNDI, JTA/JTS, JAXP, RMI 
JCA, JMS, Web Services, Struts 
and XML. Should have advanc- 
ed knowledge of IBM Web. 
Sphere Studio Application De- 
veloper (WSAD) and Application 
Server (WAS). Advanced knowl- 
edge of Object Oriented Analys- 
is and Design, Model Driven 
Architecture, Service Oriented 
Architecture and Model Driven 
Architecture. Advanced knowl- 
edge of UML and appropriate 
tooi sets such as Rational Rose/ 
XDE. Knowledge of TIBCO mes- 
Saging products would be desir- 
able. The individual should have’ 
a minimum of 9 years technical 
and 5 years supervisory experi- 
ence and a 4 year degree in a 
computer related field. Human 
resource and financial systems. 
or university experience would 
be considered a plus 

Interested candidates please 

apply online at 
www.miami.edu/careers 

and submit your resume, in- 

cluding salary history. EO/AAE 


Manager Computer Info Sys. 


The IS Manager provides day- 
to-day support, direction and 
guidance to enable team mem- 
bers to perform their responsibil- 
ities Plan and lead the applica- 
tion life-cycle process through 
design, implementation and test- 
ing of new systems that will con- 
tribute to organizational suc- 
cess. Responsible for develop- 
ing/implementing a_ tactical 
and/or operational pian, main- 
taining systems reliability, secu- 
rity and data integrity of critical 
production systems. Manages’ 
multiple information systems 
and/or projects of major busi- 
ness unit significance. Send 
resume to: J Phone Commun- 
ications, Inc. 17700 Castleton 
Street, Suite 400, City of 
Industry, CA 91748. Fax (626) 
839-6180 


Software Engineers for Buffalo 
Grove, IL. office. Design, De- 
velop, Test, implement, Main- 
tain & Coordinate Instaliation 
of software applications using 
C,VB, Delphi, ASP, XML, 
UML, Coolgen, interwoven, 
Oracle, PL/SQL, Developer 
2000 & Designer 2000; 
Masters req'd in Computers, 
Eng. + 1 yr of related exp. 40 
hrs/Wk. Must have _ iegal 
authority to work permanently 
in the U.S. Send resume to} 
HR, Option Care, Inc., 485 
Half Day Road, Ste. 300, 
Buffalo Grove, IL 60089. 


Programmer Analysts (P/A) & 
Software Engineers (S/E) for 
Bedford, TX and Chicago, IL 
P/A: Design & Develop software 
using Oracle, Sybase, XML 
Coolgen, interwoven, Clear 
S learQuest, Plumtree 
Unix. Bachelors or 
yd in Computers, Eng 
Math or related field of study +2 
yrs of related exp. S/E: Design 
develop & test software using 
Java, C, C++, VB, Winrunner. 
Tuxedo, Eclipse, Corba, RMI 
RUP. Masters or Eqv.** req'd in 
Computers, Eng., Math or relat. 
ed field of study + 1 yr of related 
exp. (**Eqv.: Bachelors or Eqv. + 
5 yrs of progressive ted work 
exp). May be relocated to vari 
ous unanticipated locations 
throughout the US. 40 hrs/Wk 
Must have legal authority to 
permanently in the U.S 
Send resume to HR, Regency 
Technologies, Inc., 1400 Brown 
Trail, Bedford, TX 76022 


Quality Assurance Engineers for 
Greenbelt, MD office: Create 
test plans & test cases; Develop 
automated tests using Win 
Runner, Test Director, LoadRun: 
ner; Execute, Maintain and 
Manage test efforts; Must have 
working knowledge of SDLC 
Testing Methodologies. Masters 
or Equivalent** req'd in Comput: 
ers, Engineering, math or relat- 
ed field of study + 1 yr of related 
exp. (**Equivalent: Bachelors or 
Equivalent + 5 years of progres- 
sive related work experience) 
May be relocated to various 
unanticipated locations through- 
out the United States. 40 
hrs/Wk. Must have legal author- 
tty to work permanently in the 
U.S. Send resume to jobs@issi- 
software.com or HR Manager. 
International Software Systems. 
tnc., 7337 Hanover Office Pkwy, 
Ste.A, Greenbelt, MD 20770 


Vega, a NJ based computer’ 
consulting company, is currently 
staffing for long term stimulating 
projects throughout the US. We 
are hiring professionals with any 
of the following skills: Oracle 
9IV/AS, Siebel, Sr. PowerBuilder, 
Java/EJB, Cobol/DB2, AS/400 
C++, VB, Documentum Deve- 
loper. Technical Recruiter. 
Please submit resumes to 


pperanio@vegaconsulting.com 


Software Engineers required for 
Caseyville, IL. Design, Develop 
Test, Implement, Maintain and 
Coordinate Installation of soft- 
ware applications using Oracle. 
SQL Server, Erwin, Sybase. 
XML, UML, Interwoven, Cool- 
gen, ClearCase, ClearQuest 
Piumtree, PVCS. Masters or 
Equivalent* req'd in Computers. 
Eng. + 1 yr of related exp. (*Eqv: 
Bachelors + 5 years of progres- 
sive related work exp). Must 
have legal authority to work per- 
manently in the U.S. Send 
Resume to HR, Caseyville 
Hotels Investors LLC, 2423 Old 
Country Inn Dr, Caseyville IL 
62232 


Software Engineers for Santa 
Ciara, CA & Naperville, IL. De- 
sign, Develop, Test, Implement. 
Maintain and Coordinate In-stal- 
lation of software using C, C++, 
VB, Delphi, ASP, XML, UML 
Coolgen, Interwoven, Oracle, 
PL/SQL, Developer 2000 & De- 
signer 2000. Masters or Equi- 
valent** req'd in Computers, 
Eng., Math or related field of 
study + 1 yr of related exp. 
(**Eqv.: Bachelors or Eqv. + 5 
yrs of progressive related work 
exp). 40 hrs/Wk. Must have’ 


to HR, Sapphire Technology 
Solutions, Inc.,2727 Walsh Ave, 
#207, Santa Clara, CA 95051 


Calif based IT co has 
openings at its Torrance, 
CA and Chicago, IL ofcs. 
and at unanticipated cli- 
ent sites across US for 
Pgrmr Analysts, Sftware 
Eng, Systems Analysts 
Biz Dvipmnt Consultants 
and Biz Analysts. Send 
resume with salary reqs 
to RJT Compuquest 
23430 Hawthorne Bivd., 
#305, Torrance, CA 
90505, Attn: HR 


Software Engineer- H/W 
design solutions: digital cir 
cuit, firmware applis, micro- 
processor-based board 
level, automation control 
and real time embedded 
multiprocessor. Min MS 
deg + 3 yrs or BS & 5 yrs 
exp. Resumes to: HR (Job 
#AKLC1104) OK _ Intern- 
ational 1530 O'Brien Drive, 
Menlo Park, CA 94025 
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Data Thefts 


islation, which he has yet to 
file as a bill, is similar to a pro- 
posed Corporate Information 
Security Accountability Act 
that was outlined two years 
ago by Rep. Adam Putnam 
(R-Fla.) but never formally 
introduced. 

“It’s really scary stuff,” the 
financial services security an- 
alyst said. “Corzine’s bill is 
certainly one of the most radi- 
cal ones that have been pro- 
posed recently, and it has 
drawn a lot of concern.” 

There clearly are “under- 
tones of the Sarbanes-Oxley 
model” in the proposal, said 
Erin Kenneally, a forensic IT 
analyst at the San Diego Su- 
percomputer Center’s Pacific 
Institute for Computer Securi- 
ty in La Jolla, Calif. 


Lawmakers Step Up 
Several other measures are al- 
ready in front of Congress, in- 
cluding one that would set a 
national law requiring busi- 
nesses and government agen- 
cies to notify affected individ- 
uals if databases are breached 
and their personal information 
is compromised (see chart). 
Most of the legislative pro- 
posals have either emerged or 
been reinvigorated following a 
string of recent data-security 
snafus at companies such as 
ChoicePoint Inc., Bank of 
America Corp. and Reed Else- 
vier Inc.’s LexisNexis unit. 
Like the other measures, 
Corzine’s promised bill is a 
long way from becoming a 
law, and lawyers and analysts 
who focus on IT security 
stressed that there is no telling 
whether it can garner the 
needed support in Congress. 
But the proposal reflects 
what appears to be a growing 
conviction among lawmakers 
that strong federal data priva- 
cy and information security 
guidelines are needed in the 
wake of the recent breaches, 
said Christopher Pierson, a 


Periodical postage paid at Fr 


lawyer at Lewis and Roca LLP 
in Phoenix. 

Stephen Wu, president of 
InfoSec Law Group PC in 
Mountain View, Calif., noted 
that bills such as Corzine’s 
“often don’t seem to get very 
far, except when things get so 
outrageous that action is 
forced on Congress.” 

For example, the financial 
reporting mandates built into 
the Sarbanes-Oxley Act fol- 
lowed a string of corporate ac- 
counting scandals, Wu said. 
He added that with the recent 
data lapses “all coming seem- 
ingly on the heels of one an- 
other, we are beginning to see 
the same sort of sentiment” 
about the need for more secu- 
rity requirements. 

Unlike regulations for spe- 
cific industries, such as those 
based on the Health Insurance 
Portability and Accountability 
Act and the Gramm-Leach- 
Bliley Act for financial ser- 
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vices, any new privacy laws 
may be much broader in 
scope, said Nahra, who is a 
lawyer at Wiley Rein & Field- 
ing LLP in Washington. 

Companies need to be pre- 
pared, said Michael Rasmus- 
sen, an analyst at Forrester 
Research Inc. “It really is all 
about starting to document 
your security practices and 
overall compliance” with ex- 
isting requirements, Ras- 
mussen said. 

Companies need to classify 
their data and get a full under- 
standing of both the process 
and technology measures that 
are in place for securing pro- 
tected information, Ras- 
mussen added. They also need 
to set policies for responding 
to and disclosing security 
breaches and focus on issues 
such as vulnerability manage- 
ment, employee training, com- 
munication and security 


awareness, he said. @ 53256 
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DATA SECURITY BILLS 


Consumer Privacy Trade Commission the power to 


. develop regulations on the sale of 
Protection Act personal information. 
(H.R. 1263] 


@ Status: S.500hasbeente- 
® Introduced by Rep. Cliff 
Stearns (R-Fla.) on March 10. 


ferred to the Senate Committee on 
Commerce, Science and Trans 

Requires data collectors to notify 

consumers that their personal 


portation. H.R. 1080 was referred 
information is being shared with 


to the House Subcommittee on 
Commerce, Trade and Consumer 
other companies and to give them 
a chance to limit the amount of 


Protection. 
data being disclosed. 


Notification of 
Risk to Personal 
Data Act [s. 1350) 


8 Originally introduced by 
Sen. Dianne Feinstein (D- 
Calif.) in June 2003. Would re- 
quire businesses to notify affected 
individuals when their personal 
data is compromised. 
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Information 
Protection and 
Security Act 
[S.500 and H.R. 1080] 
® Introduced in both the Sen- 
ate and House on March 10 by 
Sen. Bill Nelson (D-Fla.) and 


Rep. Edward Markey (D- 
Mass.). Would give the Federal 


® Status: Resides with the 
Senate Subcommittee on Terror- 
ism, Technology and Homeland 
Security. Hearings on the bill have 
been held. 


local law enforcement agen- 
| cies but had not yet contacted 
state or federal authorities. 
Officials at California State 
University are now notifying 


tine monitoring of the univer- 
sity’s computers, IT staffers 
noticed “a spike in activity on 
this particular computer.” 
The workers immediately 


Hacked on Each Coast 


Boston College, 
Cal State say no 
personal data lost 


had broken into a housing and 
food service system containing 
information about 59,000 cur- 
rent, former and prospective 
students, faculty and staff, in- 
cluding their names and Social 


| 
| 
| 
| 
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BY LINDA ROSENCRANCE 


took the machine off-line, se- 
cured it and launched a com- 
puter-forensics investigation, 
Dunn said. The investigation 
concluded that the computer 
wasn’t targeted to access per- 
sonal information but to allow 


each person whose name and 
Social Security number was 
on the system, in accordance 
with state law. There is no in- 
dication that the hackers were 
targeting confidential infor- 
mation, school officials said. 
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A computer used for fundrais- 
ing activities at Boston Col- 
lege was hacked into this 
month, initially raising con- 
cerns that the Social Security 
numbers and other personal 
information of some 120,000 
alumni might have been com- 
promised. 

Although BC alerted the af- 
fected alumni to the breach, 
the college is now sure that no 
personal data was stolen, said 
spokesman Jack Dunn. 

The break-in was the second 
such incident reported last 
week by a university. Officials 
at California State University, 
Chico, disclosed that hackers 
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Security numbers. 

A statement on the school’s 
Web site said the intruders ap- 
parently installed rootkit soft- 
ware on the system for storing 
music, movie and game files. 
They also attempted to break 
into other university comput- 
ers, the school said. 

At BC, Dunn said the hacker 
planted a program that could 
be used to launch attacks 
against other computers. 

The school’s IT department 
discovered the security breach 
on a computer that was man- 
aged by a third-party vendor 
and located in BC’s fundrais- 
ing calling center, according to 
Dunn. He said that during rou- 
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The compromised system 
has been “rebuilt and secured” 
| and has been put back onto 
| the university’s network, they 
added. It is now being re- 
viewed by an outside securi- 
ty firm. 

News of the breach comes 
just as the university has put 
in place plans to use a ran- 
domly assigned nine-digit ID 
number for students and em- 

| ployees instead of Social Secu- 


rity numbers. @ 53253 


attacks, he added. 

The IT team determined 
that the personal data stored 
on the system wasn’t accessed, 
Dunn noted. Nevertheless, he 
said, “we decided to send out 
the precautionary advisories 
to all of our alumni on the 
computer, and we offered 
guidelines they should consid- 
er to ensure their privacy.” 

BC is now purging all Social 
Security numbers from the af- 
fected computer and will no 
longer use them as alumni 
identifiers, Dunn said. He said 
the school will institute a new 
identification system. 

Dunn said BC has contacted 


MORE NEWS ONLINE 


| For additional coverage of IT security 
issues, go to our Web site 
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Secure EHR 


66 


O ONE DISAGREES on the benefits of an elec- 
tronic health record, just who should pay for the 


process of conversion,” wrote one M.D. who 

read my column on EHR two weeks ago. “Most 

hospitals don’t have the funds to support a mas- 
sive conversion to all-EHR. So it’s easy to have Mr. Hayes suggest a 
mandate. I’d just like to know, who will fund it?” 

Hold that thought. Here’s another reader: “There is another issue 
that I think holds things back, and that is worries about privacy. Any- 
thing on paper is, by definition, more private than anything in digital 
form, especially when most doctors use Microsoft products.” 

Now let’s talk about Kaiser Permanente [QuickLink 53209]. 


Somehow, live data on 140 patients of the big 
HMO was posted to an internal development 
Web site, which became visible on the Internet. 

An ex-employee says she was doing a Web 
search and found the patient data through a 
Google result. She filed a federal complaint that 
Kaiser had violated the Health Insurance Porta- 
bility and Accountability Act and linked to the 
data in her weblog. 

Now Kaiser is contacting the affected pa- 
tients and seeking a restraining order against 
the ex-employee. The U.S. Office of Civil 
Rights, which enforces HIPAA, is looking into 
the mess. And suddenly, mandating electronic 
patient information doesn’t sound like it’s such 
a great idea, does it? 

Maybe not. Or, just maybe, the right mandate 
might be a better idea than ever. 

Let’s be realistic: Electronic information can 
leak. It happened in recent months to Lexis- 
Nexis (data stolen on 32,000 people) and 
ChoicePoint (info on 145,000 people fraudulent- 
ly purchased). Bank of America shipped backup 
tapes containing the credit card 
records of 1.2 million federal em- 
ployees, including 60 U.S. senators, 
on commercial airlines in Decem- 
ber — and they went missing, too. 

Kaiser, which historically has 
been close to fanatical about patient 
privacy for its 8 million-plus mem- 
bers, hasn’t been immune. In 2000, 
an IT staffer used a one-time script 
to clear an e-mail backlog. Result: 
Confidential information on 858 pa- 
tients was sent to 17 other patients 
who weren’t supposed to get that 
information. 





FRANK HAYES, Computer- 
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Yes, electronic information can leak more 
easily than information on paper. And that’s 
most likely to happen with one-off scripts 
or unauthorized demonstrations or lashed- 
together data pipes. When security and privacy 
are designed into a system and procedures are 
rigorously followed — and enforced by the sys- 
tem — leakage is a lot less likely. 

How do you maximize security and privacy 
for, say, electronic health records? You design it 
in from the start in a standard way. You man- 
date encryption (and what kind), you specify 
authentication (and how it works), you nail 
down access control (and all the details). In 
short, you force an EHR standard. 

That will take a mandate, whether from 
Medicare or HIPAA or some other 800-pound 
gorilla that can force the health care industry to 
comply. Without it, there will be no privacy- 
oriented EHR standard, and we’ll end up with 
a thousand kinds of EHR, all lashed together 
with leaky pipes. Doing it right will require a 
lot less variety — and a lot more money. 

And yes, to answer the doctor 
whose question kicked off this col- 
umn, we already know who will 
pay for it. We all will, whether as 
patients or insurance buyers or tax- 
payers. Exactly how is up in the air. 
Incentives? Taxes? Higher medical 
bills? Free software? We don’t 
know. But we know this: In the end, 
the money always comes from cus- 
tomers — from us. 

And as long as we’re paying for 
EHR, let’s make sure we get a sys- 
tem with security and privacy built 
in from the ground up. @ 53215 
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Enough With Winter Already! 


Environmental sensor goes off on Monday at 8:25 
a.m.: water in the computer room. But when help 
arrives, no water is to be seen. Wednesday it happens 
again; still no water. Maybe it's a bad sensor? Nope. 
“It snowed both days,” pilot fish explains. “A tech 
had snow on his shoes, and it spread out just enough 
to set off the sensor. By the time we got there, the 
water was either gone or so small an amount that you 
couldn't see it. We taught him to stomp his feet on 
the way in, and the problem was solved.” 
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More wireless PCs. More security. 


Security and wireless. Together at last 


HP recommends Microsoft” Windows” XP Professional. 


HP COMPAQ tc1100 
TABLET PC 
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Enhance your system 


HP COMPAQ nc6120 
NOTEBOOK 


$1,249 
$1,599-$350 Instant Savings=$1,249 a” 
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Oracle Grid 


All Your Databases 


In a Grid 


WY No wasted capacity 


VY No wasted money 


Y No single point of failure 


Oracle Grid 
It’s fast... it’s cheap... 
and it never breaks 


ORACLE 


oracle.com/grid 
or call 1.800.633.0753 


Note: ‘Never breaks’ indicates that when a server goes down, your system keeps on running 
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